Nuclear Security Regulations: SOR/2025-219

Canada Gazette, Part II, Volume 159, Number 24

Registration
SOR/2025-219 October 30, 2025

NUCLEAR SAFETY AND CONTROL ACT

P.C. 2025-743 October 30, 2025

The Canadian Nuclear Safety Commission makes the annexed Nuclear Security Regulations under subsection 44(1)^{footnote a} of the Nuclear Safety and Control Act ^{footnote b}.

Ottawa, June 26, 2025

Pierre Tremblay
President of the Canadian Nuclear Safety Commission

Her Excellency the Governor General in Council, on the recommendation of the Minister of Natural Resources, under subsection 44(1)^{footnote a} of the Nuclear Safety and Control Act ^{footnote b}, approves the annexed Nuclear Security Regulations made by the Canadian Nuclear Safety Commission.

Nuclear Security Regulations

Definitions

Definitions

1 The following definitions apply in these Regulations.

Act

means the Nuclear Safety and Control Act. (Loi)

business day

means a day that is not a Saturday or a holiday. (jour ouvrable)

Category I nuclear material

means a nuclear substance listed in column 1 of the schedule that is in the form set out in column 2 and the quantity set out in column 3. (matière nucléaire de catégorie I)

Category II nuclear material

means a nuclear substance listed in column 1 of the schedule that is in the form set out in column 2 and the quantity set out in column 4. (matière nucléaire de catégorie II)

Category III nuclear material

means a nuclear substance listed in column 1 of the schedule that is in the form set out in column 2 and the quantity set out in column 5. (matière nucléaire de catégorie III)

central alarm station operator

means a person who holds an authorization referred to in subsection 57(1). (opérateur du poste central d’alarme)

critical security measure

means any equipment, process or system the continuous operation of which is necessary to ensure that an effective intervention can be made. (mesure de sécurité essentielle)

design basis threat

means all of the threats that are identified in respect of high-security sites by the Commission under subsection 28(1). (menace de référence)

direct visual surveillance

means direct and continuous observation of a person or place by a person who is

(a) physically present where the person is located or at the place that is under observation; or
(b) remotely observing that person or place. (surveillance visuelle directe)

Directive on Security Screening

means the document entitled Directive on Security Screening, published by the Treasury Board Secretariat, as amended from time to time. (Directive sur le filtrage de sécurité)

D-value

means, in respect of a nuclear substance, the D-value set out for that substance in Table 1 to section 2 of the document entitled Dangerous quantities of radioactive material (D-values), published by the International Atomic Energy Agency, as amended from time to time. (valeur D)

effective intervention

means an intervention that is timely and powerful enough to prevent the unauthorized removal of nuclear substances from a nuclear facility and

(a) in respect of an area within a high-security site where the results of sabotage would be to endanger the health or safety of persons, to prevent sabotage; and
(b) in respect of an area within a high-security site where the results of sabotage would be to impact the health or safety of persons, to prevent or mitigate sabotage. (défense efficace)

enhanced security clearance

means a clearance referred to in subsection 45(1). (cote de sécurité approfondie)

explosive substance

has the same meaning as in section 2 of the Criminal Code. (substance explosive)

facility-access security clearance

means a clearance granted by a licensee, as defined in section 83, that allows a person to enter and remain in a nuclear facility referred to in paragraph 3(c). (cote de sécurité donnant accès à l’installation)

firearm

has the same meaning as in section 2 of the Criminal Code. (arme à feu)

high-security site

means a nuclear facility at which Category I nuclear material or Category II nuclear material is produced, processed, used or stored. (site à sécurité élevée)

high-security site access clearance

means a clearance granted by a licensee, as defined in section 25, that allows a person to enter and remain in a protected area at a high-security site. (cote donnant accès au site à sécurité élevée)

inner area

means an area that is within a protected area and is for the processing, production, use or storage of Category I nuclear material. (zone intérieure)

inspector

means a person who is designated as an inspector under section 29 of the Act. (inspecteur)

limited access area

means a clearly demarcated area of a nuclear facility that is outside of a protected area and to which the licensee, as defined in section 25, controls access. (zone à accès limité)

nuclear security event

means an event that has potential or actual implications for nuclear security and that necessitates a response. (événement de sécurité nucléaire)

nuclear security measure

means a physical security or cyber security measure that is intended to deter, detect, delay or respond to a threat to a nuclear facility, a nuclear substance or the confidentiality, integrity or availability of sensitive information. (mesure de sécurité nucléaire)

nuclear security officer

means a person who holds an authorization referred to in subsection 55(1). (agent de sécurité nucléaire)

nuclear security support person

means a person, other than a nuclear security officer or central alarm station operator, whose duties in relation to a high-security site include any of the following:

(a) the design, installation, maintenance or repair of a nuclear security system or a nuclear security measure;
(b) the control, maintenance or repair of firearms and related equipment;
(c) the control, maintenance or repair of access control systems;
(d) the assessment, denial, revocation or granting of authorizations or clearances;
(e) the monitoring of threats that may affect the site; and
(f) training related to any of the activities referred to in paragraphs (a) to (e). (préposé à la sécurité nucléaire)

nuclear security system

means an integrated set of nuclear security measures at a nuclear facility. (système de sécurité nucléaire)

off-site response force

means a force that is not stationed at a nuclear facility and that is composed of

(a) members of a local, regional, provincial or federal police force;
(b) members of a Canadian Armed Forces unit;
(c) members, other than those referred to in either paragraph (a) or (b), who
- (i) in the case of a high-security site, are capable of making an effective intervention at the site, taking into account the design basis threat and any other threat identified in the threat and risk assessment, and
- (ii) in the case of any other nuclear facility, are capable of making an effective intervention at the nuclear facility, taking into account the threats identified in the threat and risk assessment; or
(d) any combination of the members referred to in paragraphs (a) to (c). (force d’intervention externe)

on-site nuclear response force

means

(a) a team of nuclear security officers who are permanently stationed at a high-security site; or
(b) the members of a local, regional, provincial or federal police force or a Canadian Armed Forces unit, or any combination of those members, whose services the licensee, as defined in section 2, has retained and who are permanently stationed at a high-security site. (force d’intervention nucléaire interne)

physical barrier

means a fence, wall or similar impediment that controls access to the area that it encloses and delays unauthorized access to that area. (barrière physique)

protected area

means an area that is within a high-security site and is for the production, processing, use or storage of Category I nuclear material or Category II nuclear material. (zone protégée)

sabotage

means any deliberate act that

(a) is directed against a nuclear facility or Category I nuclear material, Category II nuclear material or Category III nuclear material that is in use, storage or transport; and
(b) could directly or indirectly impact the environment or the health or safety of persons as a result of exposure to radiation or the release of a nuclear substance. (sabotage)

security exercise

means a test of the elements of a contingency plan and nuclear security measures and, in the case of a security exercise referred to in subsection 101(1), a test of multiple nuclear security measures. (exercice de sécurité)

security guard

means a person who carries out duties related to the security of a nuclear facility referred to in paragraph 3(c), such as direct visual surveillance of the facility and the protection of persons and property. (garde de sécurité)

security personnel

means the nuclear security officers, nuclear security support persons and central alarm station operators of a nuclear facility and their supervisors. (personnel de sécurité)

sensitive information

means information, including the information referred to in section 21 of the General Nuclear Safety and Control Regulations, in any form, including software, whose unauthorized disclosure, modification or destruction or to which denial of access could compromise nuclear security. (renseignements de nature délicate)

threat and risk assessment

means an assessment that

(a) identifies sensitive information and the threats to that information;
(b) identifies any threat that could
- (i) compromise the security of a nuclear facility or its operations,
- (ii) exploit vulnerabilities in a nuclear facility’s nuclear security measures, or
- (iii) in the case of the transport of Category I nuclear material, Category II nuclear material or Category III nuclear material, compromise the security of sensitive information or the nuclear material; and
(c) evaluates the risks posed by those threats and the adequacy and effectiveness of an existing or proposed nuclear security system or nuclear security measure that is designed to protect against those threats. (évaluation de la menace et du risque)

threat item

means

(a) an object, other than a match or pocket lighter, that is fabricated with combustible materials and that could be used to inflict burn injuries on persons or cause fire damage to property;
(b) a component of a weapon, an explosive device or an object referred to in paragraph (a); and
(c) any other item that could pose a threat to the security of a nuclear facility. (article dangereux)

vehicle portal

means a portal for the passage of land vehicles that has enclosed sides, a movable barrier at either end and is large enough to accommodate a land vehicle. (sas pour véhicule)

vital area

means an area that is inside a protected area and that contains equipment, systems, structures, components or nuclear substances the sabotage of which could directly or indirectly impact the environment or the health or safety of persons as a result of exposure to radiation or the release of a nuclear substance. (zone vitale)

weapon

has the same meaning as in section 2 of the Criminal Code. (arme)

PART 1
General Provisions

Definition

Definition of licensee

2 In this Part, licensee means any of the following persons:

(a) a person who, in relation to a high-security site, is licensed under the Act to
- (i) carry out an activity described in any of paragraphs 26(a), (e) or (f) of the Act; or
- (ii) produce, refine, convert, enrich, process, reprocess, manage, store or dispose of Category I nuclear material or Category II nuclear material;
(b) a person who, in relation to a nuclear facility referred to in paragraph 3(c) of these Regulations, is licensed under the Act to
- (i) carry out an activity described in any of paragraphs 26(a), (e) or (f) of the Act; or
- (ii) produce, refine, convert, enrich, process, reprocess, manage, store or dispose of a nuclear substance; and
(c) a person who, in respect of Category I nuclear material, Category II nuclear material, Category III nuclear material or a nuclear substance referred to in paragraph 3(d) of these Regulations, is licensed under the Act to
- (i) carry out an activity described in any of paragraphs 26(a), (e) or (f) of the Act, or
- (ii) produce, refine, convert, enrich, process, reprocess, manage, store or dispose of a nuclear substance.

Application

Application of Part

3 This Part applies in respect of

(a) Category I nuclear material, Category II nuclear material and Category III nuclear material;
(b) high-security sites;
(c) the following nuclear facilities, other than those that are high-security sites:
- (i) a nuclear fission or fusion reactor or subcritical nuclear assembly,
- (ii) a plant for the processing, reprocessing or separation of an isotope of uranium, thorium or plutonium,
- (iii) a plant for the manufacture of a product from uranium, thorium or plutonium,
- (iv) a plant for the processing or use, in a quantity greater than 10¹⁵ Bq per calendar year, of nuclear substances other than uranium, thorium or plutonium,
- (v) a vehicle that is equipped with a nuclear reactor, and
- (vi) a facility for the disposal of Category I nuclear material, Category II nuclear material or Category III nuclear material that is generated at another nuclear facility; and
(d) nuclear substances, other than Category I nuclear material, Category II nuclear material or Category III nuclear material, that are referred to in any of paragraphs (c), (e) or (f) of the definition nuclear substance in section 2 of the Act, that have an activity greater than or equal to 10 times the D-value for that substance and that is located at a nuclear facility referred to in paragraph (b) or (c) of this section.

Licence Application

Required information

4 An application for a licence in respect of Category I nuclear material, Category II nuclear material or Category III nuclear material or a nuclear facility, other than a transport licence, must contain, in addition to the information required by section 3 of the Nuclear Substances and Radiation Devices Regulations or sections 3 to 8 of the Class I Nuclear Facilities Regulations, as applicable,

(a) a nuclear security plan that contains
- (i) a description of the proposed nuclear security system, including each nuclear security measure and any characteristics of the design of the nuclear facility that improve its security,
- (ii) a list that identifies each nuclear security measure that is a critical security measure and that sets out the compensatory measures that will be implemented in the event that it becomes degraded, inoperative or compromised,
- (iii) a description of the areas where Category I nuclear material, Category II nuclear material or Category III nuclear material or other nuclear substances are to be produced, used, processed, stored or transported and the location of those areas,
- (iv) the written arrangements made between the applicant and any off-site response force,
- (v) the plan and procedures to assess and respond to nuclear security events at the nuclear facility,
- (vi) the process for controlling access to the nuclear facility and verifying the identity of each person who accesses it,
- (vii) the processes for determining who, on entering or exiting the nuclear facility, will be searched or screened, and
- (viii) the cyber security program consisting of the plans, policies and procedures for the protection of the computer systems and electronic components of the nuclear facility against cyber security threats identified in the threat and risk assessment; and
(b) the threat and risk assessment.

Security Requirements

Nuclear Security Plan

Review and update

5 (1) A licensee must review the nuclear security plan at least once per year and update it to reflect any changes to the information that it is required to contain.

Copy to be provided before implementation

(2) The licensee must provide a copy of the updated nuclear security plan to the Commission before it is implemented.

Threat and Risk Assessment

Minimum frequency

6 (1) A licensee must conduct, at least once every five years, a threat and risk assessment specific to each nuclear facility at which they carry on licensed activities.

Review and update

(2) The licensee must

(a) review the threat and risk assessment at least once per year and after any nuclear security event at the nuclear facility or after the licensee becomes aware of a change in any threat that is identified in the assessment or of a new vulnerability or threat;
(b) update the threat and risk assessment to implement any changes that were identified in the review as being necessary; and
(c) update the nuclear security plan if the changes referred to in paragraph (b) necessitate changes to the information that the plan is required to contain.

Modifications to nuclear security system

(3) After providing the copy of the updated nuclear security plan under subsection 5(2), the licensee must make the modifications to its nuclear security system that are necessary to counter any vulnerabilities or threats identified in the threat and risk assessment.

Record to be kept

(4) For each threat and risk assessment that is conducted, the licensee must keep a record that sets out the results of that threat and risk assessment and each update under paragraph (2)(b).

Records to be provided

(5) A licensee must provide to the Commission

(a) any record referred to in subsection (4) on request of the Commission; and
(b) the record of the results of the threat and risk assessment or an update under paragraph (2)(b), as the case may be, within 60 days after the day on which the threat and risk assessment or the update is completed.

Effective intervention

7 A licensee must implement nuclear security measures that ensure that an effective intervention can be made, taking into account the threats identified in the threat and risk assessment.

Security Program

Training program — behaviour of personnel

8 A licensee must develop and implement a training program to ensure that its supervisors are trained to recognize and report behaviour of personnel, including contractors, that could pose a threat to security at a nuclear facility at which it carries on licensed activities.

Security culture

9 (1) A licensee must implement measures to promote and support security culture.

Record to be kept

(2) The licensee must keep a record of the security culture measures that it implements.

Interfaces of safety, security and safeguards

10 (1) A licensee must, to the extent possible, ensure that

(a) nuclear security measures and, if any, nuclear material accountancy activities are designed and implemented so as to avoid and resolve conflicts between them and to detect, prevent and deter the unauthorized removal of any Category I nuclear material, Category II nuclear material or Category III nuclear material from a nuclear facility at which it carries on licensed activities;
(b) nuclear security measures do not compromise the environment or the health or safety of persons; and
(c) measures taken to protect the environment or the health or safety of persons do not compromise the security of a nuclear facility at which it carries on licensed activities.

Process to coordinate measures

(2) The licensee must establish, implement and maintain a process to

(a) avoid and resolve conflicts between nuclear security measures and, if any, nuclear material accountancy activities; and
(b) coordinate nuclear security measures, environmental protection measures and health and safety protection measures.

Record to be kept

(3) The licensee must keep a record that sets out the process referred to in subsection (2).

Compensatory measures

11 (1) If a critical security measure for a nuclear facility at which a licensee carries on licensed activities becomes degraded, inoperative or compromised, the licensee must immediately implement compensatory measures that are as effective as that measure was before it became degraded, inoperative or compromised.

Records to be kept

(2) A licensee must keep a record that sets out the process for implementing the compensatory measures and a record that sets out each instance in which a compensatory measure is implemented.

Compromise of critical security measure

12 When a licensee becomes aware that a device that is part of a critical security measure is degraded, inoperative or compromised in any way, including by loss, theft or unauthorized transfer, the licensee must

(a) replace the device or restore it to its proper functioning as soon as feasible; and
(b) determine, on the basis of an investigation, how it became degraded, inoperative or compromised.

Security guards

13 (1) A licensee must ensure that each security guard at a nuclear facility at which it carries on licensed activities is trained and qualified to carry out their assigned duties.

Record to be kept

(2) The licensee must keep a record of the training that it provides to each security guard and proof that they are qualified to carry out their assigned duties.

Arrangements with off-site response force

14 (1) A licensee must make written arrangements with an off-site response force that, alone or in conjunction with the on-site nuclear response force, if any, is capable of making, at a nuclear facility at which the licensee carries on licensed activities, an effective intervention against any physical threat identified in the threat and risk assessment.

Provisions in arrangements

(2) The written arrangements must provide for

(a) a process for determining when and how the off-site response force is to be notified when a nuclear security event occurs at the facility;
(b) annual visits to the nuclear facility by members of the off-site response force to familiarize them with the facility;
(c) the joint development by the licensee and the off-site response force of a contingency plan to facilitate effective interventions by that force;
(d) the roles and responsibilities of the licensee and the off-site response force in responding to nuclear security events; and
(e) the participation of the off-site response force in security exercises.

Arrangements signed

(3) The licensee must ensure that the written arrangements are signed by the licensee and a person who is authorized to sign on behalf of the off-site response force.

Alarm-monitoring

15 (1) A licensee must have alarm-monitoring capability or make arrangements with an alarm monitoring service.

Alarm-monitoring service

(2) If the licensee has made arrangements with an alarm-monitoring service, those arrangements must provide for the procedure by which the service will notify the licensee or the off-site response force in the event that an alarm signal is received from the nuclear facility.

Cyber Security and Protection of Information

Cyber security program

16 (1) A licensee must, for each nuclear facility at which it carries on licensed activities, implement and maintain the cyber security program referred to in subparagraph 4(a)(viii).

Protection against cyber security threats

(2) The licensee must protect the computer systems and electronic components of the nuclear facility against the cyber security threats that are identified in the threat and risk assessment.

Protection of sensitive information

17 (1) A licensee must protect the sensitive information that is identified in the threat and risk assessment against the threats that are identified in that assessment.

Nuclear security measures

(2) The licensee must implement nuclear security measures that protect the confidentiality, integrity and availability of the sensitive information referred to in subsection (1) against the threats that are identified in the threat and risk assessment.

Access to sensitive information

(3) The licensee must not permit a person to access sensitive information unless the person requires that access to carry out their duties.

Identity verification, clearance or authorization

18 A licensee must implement measures to protect the following information from loss or theft and unauthorized access, use, disclosure, duplication, alteration or destruction:

(a) information that is collected, used, retained or disclosed for the purposes of identity verification; and
(b) information that is collected, used, retained or disclosed in relation to a clearance or authorization.

Security Obligations Relating to Nuclear Substances

Category I nuclear material

19 A licensee must only produce, process, use or store Category I nuclear material in an inner area.

Category II nuclear material

20 A licensee must only produce, process, use or store Category II nuclear material in a protected area.

Category III nuclear material

21 A licensee must only produce, process, use or store Category III nuclear material in

(a) a protected area; or
(b) any other area that is equipped with detection, delay and response measures and that is designed and constructed to prevent unauthorized access to the material.

Other nuclear substances

22 (1) A licensee may only produce, process, use or store a nuclear substance, other than Category I nuclear material, Category II nuclear material or Category III nuclear material, that has an activity that is greater than or equal to 10 times the D-value for that substance in an area within a nuclear facility that is designed and constructed to prevent unauthorized access to the nuclear substance.

Security measures

(2) In respect of the area referred to in subsection (1), the licensee must

(a) maintain a list of the persons who are authorized to access the area;
(b) permit only authorized persons to access the area; and
(c) implement measures to detect, and assess the necessary response to,
- (i) any unauthorized access to a nuclear substance in the area, and
- (ii) any tampering or attempted tampering that could compromise or degrade a nuclear security measure or render it inoperative or ineffective.

Removal of nuclear substances

23 A licensee must ensure that nuclear substances are not removed from a nuclear facility at which it carries on licensed activities except in accordance with a licence.

Detection of unauthorized removal

24 (1) If a licensee detects the unauthorized removal of nuclear substances from a nuclear facility at which it carries on licensed activities, it must

(a) determine the reason for the unauthorized removal; and
(b) assess and immediately respond to the unauthorized removal.

Record to be kept

(2) The licensee must keep a record that sets out the process by which it will ensure that any unauthorized removal of nuclear substances from the facility is dealt with in accordance with subsection (1).

PART 2
High-Security Sites

Definition

Definition of licensee

25 In this Part, licensee means a person who, in relation to a high-security site, is licensed under the Act to carry out any of the following activities:

(a) carry out an activity described in any of paragraphs 26(a), (e) or (f) of the Act; or
(b) produce, refine, convert, enrich, process, reprocess, manage, store or dispose of Category I nuclear material or Category II nuclear material.

Application

Application of Part

26 This Part applies in respect of high-security sites.

Licence Application

Additional information and documents

27 The nuclear security plan contained in an application for a licence in respect of a high-security site must contain, in addition to the information and documents required under paragraph 4(a), the following information and documents:

(a) in the description of the proposed nuclear security system, a description of the central alarm station, the backup alarm station and the physical barriers, structures, devices and nuclear security measures in respect of each protected area, vital area and inner area in the site;
(b) a description of the protected areas, vital areas and inner areas in the site and the potential targets of sabotage and the location of those areas and targets in the site;
(c) information about the organizational structure, duties and training of nuclear security officers, the procedures those officers must follow and the minimum number of nuclear security officers and other personnel who will carry out duties related to security at the site;
(d) a description of the nuclear security measures that will be implemented by the licensee to ensure that an effective intervention can be made at that site, taking into account the design basis threat and any other threat identified in the threat and risk assessment;
(e) a description of the on-site and off-site communications equipment, systems and procedures;
(f) the tactical deployment plans developed with the off-site response force and, if any, the on-site nuclear response force, including an analysis of potential pathways for adversaries and security response times; and
(g) for each physical barrier and nuclear security measure that is intended to delay adversaries who are described in the design basis threat or the threat and risk assessment, an analysis of the delay time provided by that barrier or measure and the data supporting that analysis.

Design Basis Threat

Commission to identify threats

28 (1) The Commission must identify any threat involving a person or group that may have the capability, motivation and intent to attempt

(a) the sabotage of a high-security site; or
(b) the unauthorized removal of Category I nuclear material or Category II nuclear material from a high-security site.

Commission to inform licensee

(2) The Commission must inform each licensee of the design basis threat.

Nuclear security system

29 (1) A licensee must design a nuclear security system taking into account the design basis threat and any other threat identified in the threat and risk assessment, evaluate the ability of the system to respond to those threats and make modifications to the system as necessary.

Nuclear security measures

(2) The licensee must implement nuclear security measures that ensure that an effective intervention can be made, taking into account the design basis threat and any other threat identified in the threat and risk assessment.

Record to be kept

(3) The licensee must keep a record that sets out the processes it has implemented to design and make modifications to the nuclear security system.

Security Requirements

Nuclear Security Officers

Number and duties

30 (1) A licensee must have, at all times, a sufficient number of nuclear security officers available at a high-security site to carry out the following duties:

(a) conducting patrols of the site, including in the limited access area, if any;
(b) controlling and monitoring the movement of persons, property, Category I nuclear materials, Category II nuclear materials, Category III nuclear materials and vehicles at the site, including in the limited access area, if any;
(c) conducting searches of persons and everything in their possession, including any land vehicle, when they enter or exit a protected area or inner area;
(d) assessing and responding to nuclear security events;
(e) apprehending and detaining intruders;
(f) observing and reporting on the movements of intruders;
(g) assisting in making effective interventions against intruders;
(h) operating nuclear security systems and devices; and
(i) carrying out any other duties that nuclear security officers are required to carry out under these Regulations.

Record to be kept

(2) The licensee must keep a record that sets out the duties of its nuclear security officers and give a copy of it to each officer.

Provision of equipment

31 A licensee must provide each of its nuclear security officers with the equipment, devices and apparel that are necessary to carry out their duties.

Training, knowledge, skill and qualifications

32 (1) A licensee must ensure that a nuclear security officer does not carry out a duty unless

(a) they have the training, knowledge and skill that is necessary to allow them to carry out that duty; and
(b) they are qualified to carry out that duty.

Continuing training program

(2) The licensee must ensure that each of its nuclear security officers participates in a continuing training program that includes training regarding

(a) their duties and responsibilities when responding to nuclear security events, including the use of force;
(b) the security procedures and nuclear security measures that are relevant to their duties;
(c) the design basis threat and any other threat identified in the threat and risk assessment that is relevant to their duties; and
(d) the licensee’s obligations under the Act and its regulations that are relevant to their duties.

Record to be kept

(3) The licensee must keep a record of the training received by each of its nuclear security officers.

Record to be kept — firearms

33 A licensee must keep a record that sets out the following information in respect of each of its nuclear security officers whose duties require them to carry a firearm:

(a) the officer’s name;
(b) information that demonstrates that the officer is authorized to carry firearms in Canada and is trained and qualified to use them; and
(c) whether or not the officer is a member of the on-site nuclear response force.

Response Forces

On-site nuclear response force required

34 (1) Subject to subsection (2), a licensee must maintain an on-site nuclear response force that, in combination with the off-site response force and the nuclear security measures for the high-security site, is capable of making an effective intervention, taking into account the design basis threat and any other threat identified in the threat and risk assessment.

Exception

(2) The licensee is not required to maintain an on-site nuclear response force if

(a) it implements nuclear security measures that are capable of ensuring that an effective intervention can be made, taking into account the design basis threat and any other threat identified in the threat and risk assessment; and
(b) at least 90 days before the first day on which the high-security site will operate without an on-site nuclear response force, it provides to the Commission notice in writing of its intent not to maintain one, a description of the measures referred to in paragraph (a) and information that demonstrates how implementation of those measures will ensure that an effective intervention can be made, taking into account the design basis threat and any other threat identified in the threat and risk assessment.

Firearms

(3) The licensee must ensure that every nuclear security officer who is a member of its on-site nuclear response force is authorized to carry firearms in Canada and is trained and qualified to use them.

Equipment

(4) The licensee must provide nuclear security officers who are members of the on-site nuclear response force with the equipment, devices and apparel that are necessary to make an effective intervention, taking into account the design basis threat and any other threat identified in the threat and risk assessment.

Arrangements with off-site response force

35 In addition to meeting the requirements of section 14, the written arrangements made between the licensee and the off-site response force in respect of a high-security site must provide for

(a) the means by which an immediate and continuous communication capability is to be established between the central alarm station, the backup alarm station, nuclear security officers and the off-site response force;
(b) the means by which the off-site response force, if requested by the licensee, is to assist the on-site nuclear response force, if any, in making an effective intervention, taking into account the design basis threat and any threat set out in the threat and risk assessment;
(c) the duties of the on-site nuclear response force, if any, when responding to nuclear security events and how the on-site nuclear response force will integrate their response with that of the off-site response force;
(d) if an on-site nuclear response force is not maintained at the site, the availability of a sufficient number of off-site response force members who are trained and equipped to make an effective intervention, taking into account the design basis threat and any threat set out in the threat and risk assessment; and
(e) an annual consultation between the licensee and the off-site response force regarding site familiarization and continuing training.

Contingency Plan

Plan required

36 A licensee must develop and maintain a contingency plan to ensure that an effective intervention can be made, taking into account the design basis threat and any other threat identified in the threat and risk assessment.

Security Drill and Security Exercise Program

Program elements

37 (1) A licensee must implement a security drill and security exercise program that, by means of physical drills, cyber security drills and security exercises, verifies and evaluates

(a) the readiness of security personnel; and
(b) the effectiveness of all elements of the contingency plan and the nuclear security system, including the nuclear security measures for the transport of nuclear substances.

Program updates

(2) The licensee must update the program after each security drill or security exercise if the results of that drill or exercise indicate that an update is necessary.

Security drills

38 (1) A licensee must conduct a security drill at least once every 30 days to test the readiness of its security personnel and the operation of one or more nuclear security measures or one or more elements of the contingency plan.

Participation of nuclear security officers

(2) The licensee must ensure that, at least once in each quarter of a given year, every nuclear security officer whose duties include the implementation of the contingency plan participates in a security drill.

Security exercise

39 (1) A licensee must, in cooperation with the off-site response force, at least once every two years, conduct a security exercise that tests

(a) the ability of all elements of the contingency plan and the nuclear security measures to ensure that an effective intervention can be made, taking into account the design basis threat and any other threat identified in the threat and risk assessment; and
(b) the readiness of its security personnel and the off-site response force to respond to the design basis threat and any other threat identified in the threat and risk assessment.

Notice to Commission

(2) The licensee must notify the Commission in writing of its intent to conduct a security exercise at least four months before the day on which the exercise is to be held.

Records to be kept

40 (1) A licensee must, for each security drill and security exercise that it conducts, keep a record that contains

(a) an outline of the scenario for that drill or exercise;
(b) an evaluation of the readiness of its security personnel and the off-site response force;
(c) an evaluation of the effectiveness of the elements of the contingency plan and the nuclear security measures that were tested; and
(d) a description of any corrective actions that, taking the results of those evaluations into account, are necessary.

Records to be provided — security exercise

(2) The licensee must, within 180 days after the day on which a security exercise is completed, provide to the Commission a copy of the record for that exercise.

Corrective action plan

41 (1) If a corrective action referred to in paragraph 40(1)(d) is to be implemented using a phased approach, the licensee must create a corrective action plan that sets out

(a) the reasons for the corrective action;
(b) the rationale for the phased approach; and
(c) a timetable that sets out when each phase of the plan will be completed.

Implementation

(2) The licensee must implement the corrective actions and, if they are to be implemented using a phased approach, each phase must be completed in accordance with the timetable set out in the corrective action plan.

Corrective action plan to be provided

(3) The licensee must, within 90 days after the day on which the related security drill or security exercise is completed, provide a copy of the corrective action plan, if any, to the Commission.

Central Alarm Station

Central alarm station

42 (1) A licensee must ensure that the nuclear security measures referred to in subparagraphs 61(2)(a)(i) and (ii) and 68(1)(a)(i) and (ii) are monitored from a central alarm station.

Requirements

(2) The central alarm station must be

(a) located outside any vital area or inner area;
(b) designed, constructed and located so as to resist forced entry, taking into account the design basis threat and any other threat identified in the threat and risk assessment;
(c) attended at all times by at least one central alarm station operator;
(d) designed or operated so as to prevent a solitary central alarm station operator from tampering with or compromising a nuclear security measure or disabling it without the licensee’s authorization;
(e) equipped so as to enable a central alarm station operator inside the central alarm station to receive, assess and acknowledge the alarms referred to in subparagraphs 61(2)(a)(iii) and (b)(ii) and 68(1)(a)(iii) and (b)(ii); and
(f) equipped with devices that
- (i) enable and record secure communication with nuclear security officers, nuclear security support persons and the off-site response force, and
- (ii) are designed and installed such that the failure of one of the devices does not prevent that communication.

Entry

(3) The licensee must not permit a person to enter the central alarm station unless they are security personnel or otherwise authorized to enter by the licensee and they require entry to carry out their duties.

Operational readiness

(4) The licensee must implement processes that ensure that the central alarm station maintains operational readiness.

Backup Alarm Station

Station requirements

43 (1) A licensee must establish a backup alarm station that is

(a) independent from the central alarm station; and
(b) designed and equipped such that, in the event that the central alarm station is inoperative or cannot be used, it can carry out the same functions as the central alarm station.

Operations

(2) The licensee must ensure that the backup alarm station is operated only by security personnel who have received training on its operation.

Entry

(3) The licensee must not permit a person to enter the backup alarm station unless they are security personnel or otherwise authorized to enter by the licensee and they require entry in order to carry out their duties.

Operational readiness

(4) The licensee must implement processes that ensure that the backup alarm station maintains operational readiness.

Testing

(5) The licensee must test the functions of the backup alarm station at least once every five years.

Clearances and Authorizations

Clearances

High-security Site Access Clearance

Conditions

44 (1) A licensee may grant a high-security site access clearance to a person if

(a) it determines, after verifying the information and documents set out in subsection (2) and taking the factors referred to in subsection (3) into consideration, that the person does not pose an unreasonable risk to the health or safety of persons or the security of the high-security site; or
(b) it verifies that the person holds
- (i) a valid high-security site access clearance or enhanced security clearance granted by another licensee, or
- (ii) a valid secret or top secret clearance granted under the Directive on Security Screening.

Verification of documents and information

(2) For the purpose of paragraph (1)(a), the licensee must verify the following information and documents in respect of the person who is seeking the high-security site access clearance:

(a) the information and documents referred to in subsection 85(2); and
(b) a security assessment carried out by the Canadian Security Intelligence Service.

Factors to be considered

(3) For the purpose of making the determination referred to in paragraph (1)(a), the licensee must take the following factors into consideration:

(a) the relevance of the information and documents referred to in subsection (2), including the circumstances of any convictions, their seriousness, number and frequency, the date of the last conviction and any sentence or other disposition;
(b) whether it is known or there are reasonable grounds to suspect that the person
- (i) is or has been involved in — or contributes or has contributed to — criminal offences or acts of violence against persons or property,
- (ii) is or has been involved in — or contributes or has contributed to — activities that constitute threats to the security of Canada as defined in section 2 of the Canadian Security Intelligence Service Act,
- (iii) is or has been a member of a terrorist group as defined in subsection 83.01(1) of the Criminal Code or is or has been involved in — or contributes or has contributed to — the activities of such a group,
- (iv) is or has been a member of a criminal organization as defined in subsection 467.1(1) of the Criminal Code or has been involved in — or contributes or has contributed to — the activities of such an organization, or
- (v) is or has been associated with anyone who is known to be involved in or to contribute to — or in respect of whom there are reasonable grounds to suspect involvement in or contribution to — activities referred to in subparagraph (i) or (ii), or who is a member of a group or organization referred to in subparagraph (iii) or (iv);
(c) whether there are reasonable grounds to suspect that the person is in a position in which there is a risk that they could be induced to commit an act or to assist or abet any person to commit an act that might constitute an unreasonable risk to the health or safety of persons or the security of the high-security site;
(d) whether a clearance issued in respect of the person has previously been revoked because the person provided false or misleading information to obtain the clearance;
(e) any other relevant information that enables the licensee to assess the risk.

Period and conditions

(4) The high-security site access clearance may be granted for a period of no more than 10 years and must be subject to any terms and conditions that are necessary to minimize the risk to the security of the high-security site.

Record to be kept

(5) A licensee that grants a high-security site clearance under paragraph (1)(b) must keep a record indicating how it verified that the person holds the clearance referred to in that paragraph.

Enhanced Security Clearance

Conditions

45 (1) A licensee may grant an enhanced security clearance to a person if

(a) it determines, after verifying the information and documents set out in subsection (2) and taking the factors referred to in subsection 44(3) into consideration, that the person does not pose an unreasonable risk to the health or safety of persons or the security of the high-security site; or
(b) it verifies that the person holds
- (i) a valid enhanced security clearance granted by another licensee, or
- (ii) a valid secret or top secret clearance granted under the Directive on Security Screening.

Verification of information and documents

(2) For the purpose of paragraph (1)(a), the licensee must verify the following information and documents in respect of the person who is seeking the enhanced security clearance:

(a) the information and documents referred to in subsection 44(2); and
(b) the results of a credit check.

Period and conditions

(3) An enhanced security clearance may be granted for a period of no more than five years and must be subject to any terms and conditions that are necessary to minimize the risk to the security of the high-security site.

Record

List of persons

46 (1) A licensee must keep an up-to-date list of each person to whom a clearance has been granted under section 44 or 45 and that identifies their clearance.

List to be provided

(2) The licensee must, on request, provide a copy of the list to the Commission or an inspector.

Revocation

Conditions

47 (1) A licensee must revoke a person’s high-security site access clearance or enhanced security clearance if

(a) the licensee concludes, based on an investigation, that the person poses or could pose an unreasonable risk to the health or safety of persons or the security of the high-security site;
(b) the person is no longer employed by or otherwise under contract to the licensee;
(c) the person’s duties have been completed, suspended or otherwise terminated;
(d) the person no longer requires the clearance to carry out their duties; or
(e) the person provided false or misleading information to obtain the clearance.

Commission to be notified

(2) The licensee must notify the Commission in writing of any revocation made under paragraph (1)(a) or (e) within five business days after the day on which the revocation is made.

Authorizations

Exceptions

Inspectors

48 (1) Subsection 49(1) and sections 50 and 51 do not apply to an inspector who is designated to carry out inspections at high-security sites or to a person who is chosen by the inspector to accompany them under section 33 of the Act.

First responders

(2) Despite subsection 49(1) and sections 50 and 51, a member of the off-site response force, a peace officer or a member of an emergency service who requires access to a protected area, vital area or inner area for the purpose of carrying out their duties may enter and remain in the area without having been granted a high-security site access clearance or enhanced security clearance and, in the event of an emergency in that area, without an authorization referred to in paragraph 49(1)(b) or section 52.

Access to Protected Area

Requirements to enter and remain

49 (1) A person must not enter or remain in a protected area unless

(a) the licensee has granted the person a high-security site access clearance under section 44 or an enhanced security clearance under section 45;
(b) the licensee has granted the person an authorization to enter and remain in the protected area granted under subsection (2) or (3) or an authorization to enter and remain in an inner area granted under section 52; and
(c) if the authorization referred to in paragraph (b) is one referred to in subsection (3) or subsection 52(2), they are escorted in accordance with that authorization.

Authorization — without escort

(2) The licensee may grant an authorization to a person to enter and remain in a protected area without an escort if

(a) it has, in respect of the high-security site, granted the person a high-security site access clearance or an enhanced security access clearance; and
(b) it prepares an identification report that contains the following information and documents in respect of the person:
- (i) their name and date and place of birth,
- (ii) documentary proof of their lawful presence in Canada,
- (iii) the address of their principal residence,
- (iv) a photograph that depicts a frontal view of their face,
- (v) their occupation,
- (vi) documentary proof that the licensee has granted them a high-security site access clearance, and
- (vii) the documents verified by the licensee before granting them a high-security site access clearance.

Authorization — with escort

(3) The licensee may grant an authorization to a person to enter and remain in a protected area with an escort if

(a) the person presents to the licensee
- (i) in the case of a person who is 18 years of age or over, two pieces of valid government-issued identification, one of which must be photo identification, and
- (ii) in the case of a person who is under the age of 18, documentary proof of their name and address; and
(b) the licensee makes the authorization subject to the condition that the person is, while within the protected area, escorted at all times by a person who, in respect of the high-security site, has been granted a high-security site access clearance or enhanced security clearance.

Period

(4) An authorization referred to in subsection (2) may be granted for a period of no more than 10 years.

Conditions

(5) An authorization granted under subsection (2) or (3) must be subject to any terms and conditions that are necessary to minimize the risk to the security of the high-security site.

Copy of request for information and documents

(6) If requested by the person referred to in subsection (1), the licensee must provide them with a copy of all information and documents relating to the authorization that are in the licensee’s possession and that were provided to the licensee by or on behalf of that person.

Access to Vital Area and Inner Area

Vital area

50 A person must not enter or remain in a vital area unless the licensee has granted the person an authorization for the area under subsection 52(1) or (2) and, if the authorization is one referred to in subsection 52(2), the person is escorted in accordance with that authorization.

Inner area

51 A person must not enter or remain in an inner area unless

(a) the licensee has granted the person an authorization for the area under subsection 52(1) and they are accompanied by another person who has been granted an authorization referred to in that subsection; or
(b) the licensee has granted the person an authorization for the area under subsection 52(2) and they are escorted at all times by two other persons who have been granted an authorization referred to in subsection 52(1).

Authorization — without escort

52 (1) A licensee may grant an authorization to a person to enter and remain without an escort in a vital area or inner area, as the case may be, if

(a) it has granted an enhanced security clearance to the person for the high-security site; and
(b) the person requires access to the area to carry out a duty required by the licensee.

Authorization — with escort

(2) The licensee may grant an authorization to a person to enter and remain with an escort in a vital area or inner area, as the case may be, if

(a) the person requires access to the area to carry out a duty required by the licensee;
(b) it obtains the following information and documents in respect of the person:
- (i) their name,
- (ii) the address of their principal residence,
- (iii) the name and business address of their employer, and
- (iv) documentary proof of their lawful presence in Canada;
(c) it makes, in the case of an authorization to enter and remain in a vital area, the authorization subject to the condition that the person is, while within the area, escorted at all times by a person who is authorized to enter and remain in the area and is equipped with a device that permits them to immediately communicate with the central alarm station; and
(d) it makes, in the case of an authorization to enter and remain in an inner area, the authorization subject to the condition that the person is, while within the area, escorted at all times by two persons who are authorized to enter and remain in the area, each of whom is equipped with a device that permits them to immediately communicate with the central alarm station.

Period

(3) An authorization referred to in subsection (1) may be granted for a period of no more than five years.

Conditions

(4) An authorization granted under subsection (1) or (2) must be subject to any terms and conditions that are necessary to minimize the risk to the security of the high-security site.

Copy of information and documents

(5) If requested by the person referred to in subsection (2), the licensee must provide them with a copy of all information and documents relating to the authorization that are in the licensee’s possession and that were provided to the licensee by or on behalf of that person.

Records

Record to be kept

53 (1) A licensee must, for each person to whom an authorization has been granted under section 49 or 52, keep a record that sets out their name, their authorization and the day on which their authorization ends.

Retention of record

(2) The record must be retained until one year after the day on which the person’s authorization ends or is revoked.

Record to be provided

(3) The licensee must, on request, provide a copy of the record to the Commission or an inspector.

Record to be made available

(4) The licensee must make a copy of the record available to its nuclear security officers.

Security Personnel

Clearance required

54 A licensee must not permit an employee, or any other person who is under contract to the licensee, to carry out the duties of security personnel or those related to nuclear security intelligence unless it has granted the person an enhanced security clearance.

Nuclear Security Officers

Written authorization

55 (1) A person must not act as a nuclear security officer unless the licensee grants them written authorization to do so.

Requirements for authorization

(2) Before granting the authorization, the licensee must

(a) ensure that it has granted the person an enhanced security clearance;
(b) ensure that the person has received training on, and that their knowledge and skill has been evaluated with respect to, the following topics as they relate to the duties of nuclear security officers at the high-security site:
- (i) first aid and cardiopulmonary resuscitation,
- (ii) their duties when responding to nuclear security events, including the use of force,
- (iii) security procedures and nuclear security measures at the high-security site,
- (iv) threats to nuclear security, including sabotage and the unauthorized removal of nuclear substances, and
- (v) the licensee’s obligations under the Act and its regulations that are relevant to their duties;
(c) ensure that, if the person has previously been granted high-security site access clearance, the person has participated in continuing training related to the topics referred to paragraph (b); and
(d) obtain the following documents from the person:
- (i) documentary proof that the person is a Canadian citizen or a permanent resident as defined in subsection 2(1) of the Immigration and Refugee Protection Act,
- (ii) a certificate, signed by a qualified medical practitioner, certifying that the person does not have a medical condition that would prevent them from performing the tasks that are likely to be assigned by the licensee,
- (iii) a certificate, signed by a fitness consultant who is recognized by the Canadian Society for Exercise Physiology or a person with equivalent or higher qualifications, certifying that the person is physically able to perform the tasks that are likely to be assigned by the licensee, and
- (iv) a certificate, signed by a qualified psychologist, certifying that the person is psychologically able to perform the tasks that are likely to be assigned by the licensee.

Assessment by licensee

(3) Before granting the authorization to a person, the licensee must assess the person’s knowledge of the security procedures and nuclear security measures that are relevant to their duties and their ability to carry them out.

Period and conditions

(4) The authorization may be granted for a period of no more than five years and must be subject to any terms and conditions that are necessary to minimize the risk to the security of the high-security site.

Copy of information and documents

Nuclear Security Support Person

Written authorization

56 (1) A person must not act as a nuclear security support person unless the licensee has granted the person written authorization to do so and, if the authorization is one referred to in subsection (3), they are escorted in accordance with subsection (4).

Authorization — without escort

(2) The licensee may grant an authorization to a person to act as a nuclear security support person without an escort if it has granted the person an enhanced security clearance for the high-security site.

Authorization — with escort

(3) The licensee may grant an authorization to a person to act as a nuclear security support person with an escort if it has obtained the following information and documents in respect of the person:

(a) their name;
(b) the address of their principal residence;
(c) the name and business address of their employer; and
(d) a copy of two pieces of valid government-issued identification, one of which must be photo identification.

Conditions — escort required

(4) An authorization granted under subsection (3) must be made subject to the following conditions:

(a) that the person enters or remains in the protected area or inner area only for the purpose of carrying out duties required by the licensee;
(b) that, when the person is in a protected area, they are escorted at all times by a person who is authorized under subsection (2);
(c) that, when the person is in a vital area, they are escorted at all times by a person who is authorized under subsection (2); and
(d) that, when the person is in an inner area, they are escorted at all times by a person who is authorized under subsection (2) and two other persons who are authorized to enter and remain in the inner area with an escort.

Period

(5) An authorization referred to in subsection (2) may be granted for a period of no more than five years.

Conditions

(6) An authorization granted under subsection (2) or (3) must be subject to any terms and conditions that are necessary to minimize the risk to the security of the high-security site.

Copy of information and documents

(7) If requested by the person referred to in subsection (2), the licensee must provide them with a copy of all information and documents relating to the authorization that are in the licensee’s possession and that were provided to the licensee by or on behalf of that person.

Central Alarm Station Operator

Written authorization

57 (1) A person must not act as a central alarm station operator unless the licensee grants them written authorization to do so.

Requirements for authorization

(2) Before granting the authorization, the licensee must

(a) ensure that it has granted the person an enhanced security clearance;
(b) ensure that the person has received training on the following topics:
- (i) the operation of the central alarm station,
- (ii) their duties when responding to nuclear security events,
- (iii) security procedures and nuclear security measures at the high-security site,
- (iv) threats to nuclear security, including sabotage and the unauthorized removal of nuclear substances, and
- (v) the licensee’s obligations under the Act and its regulations that are relevant to their duties; and
(c) obtain the following documents from the person:
- (i) documentary proof that the person is a Canadian citizen or a permanent resident as defined in subsection 2(1) of the Immigration and Refugee Protection Act,
- (ii) a certificate, signed by a qualified medical practitioner, certifying that the person does not have a medical condition that would prevent them from performing the tasks that are likely to be assigned by the licensee, and
- (iii) a certificate, signed by a qualified psychologist, certifying that the person is psychologically able to perform the tasks that are likely to be assigned by the licensee.

Period and conditions

(3) The authorization may be granted for a period of no more than five years and must be subject to any terms and conditions that are necessary to minimize the risk to the security of the high-security site.

Copy of information and documents

(4) If requested by the person referred to in subsection (2), the licensee must provide them with a copy of all information and documents relating to the authorization that are in the licensee’s possession and that were provided to the licensee by or on behalf of that person.

Record

List of persons

58 (1) A licensee must keep an up-to-date list of each person to whom an authorization has been granted under section 55, 56 or 57 and that identifies the authorization.

List to be provided

(2) The licensee must, on request, provide a copy of the list to the Commission or an inspector.

Revocation

Conditions

59 (1) A licensee must revoke an authorization granted to a person under this Part if

(a) the licensee concludes, based on an investigation, that the person poses or could pose an unreasonable risk to the health or safety of persons or the security of the high-security site;
(b) the person is no longer employed by or otherwise under contract to the licensee;
(c) the duties or functions of the person have been completed, suspended or otherwise terminated;
(d) the person no longer requires the authorization to carry out their duties; or
(e) the person provided false or misleading information to obtain the authorization.

Commission to be notified

(2) The licensee must notify the Commission in writing of any revocation made under paragraph (1)(a) or (e) within five business days after the day on which the revocation is made.

Nuclear Security Measures

Power Supply

Uninterrupted power supply

60 A high-security site must be equipped with devices that, in the event of the loss of the power supply, maintain an uninterrupted power supply for a period of time that is sufficient to allow for an alternate continuous power supply to be implemented for all critical security measures that require a power supply and that are described in the nuclear security plan.

Protected Area

Perimeter enclosed by physical barrier

61 (1) A protected area must be enclosed by a physical barrier that is located at its perimeter.

Other nuclear security measures

(2) The perimeter of the protected area must be

(a) protected by the following nuclear security measures:
- (i) two or more independent nuclear security measures that detect intrusion or attempted intrusion and that are designed and installed such that the failure of one measure does not prevent the intrusion or attempted intrusion from being detected and an alarm from being triggered,
- (ii) a nuclear security measure that detects any tampering or attempted tampering that may cause any of the measures referred to in subparagraph (i) or (iv) to malfunction or cease to function,
- (iii) a nuclear security measure that, when an event referred to in subparagraph (i) or (ii) is detected, triggers a continuous alarm that is audible and visible in the central alarm station and that can only be shut off from inside the station by a central alarm station operator, and
- (iv) two or more independent nuclear security measures that facilitate an immediate assessment of the cause of the alarm by a central alarm station operator; or
(b) kept under the direct visual surveillance of a nuclear security officer who is equipped with
- (i) a device that enables communication with the central alarm station, and
- (ii) a device that can trigger a continuous alarm that is audible and visible in the central alarm station and that can only be shut off from inside the station by a central alarm station operator.

Design, construction and implementation

(3) The physical barrier must be designed and constructed and the other nuclear security measures must be designed and implemented such that together they

(a) provide sufficient time for the off-site response force or, if any, the on-site nuclear response force to respond to any intrusion into the protected area; and
(b) reduce the risk of forced entry into the protected area by any vehicle.

Security facilities

(4) Permanent security facilities such as guard posts and vehicle portals may join with the physical barrier if a continuous barrier is maintained.

Means of entry or exit

(5) Each gate, door, window or other means of entry or exit in the physical barrier must be

(a) constructed so that it can be closed and securely locked to resist unauthorized entry; and
(b) kept closed and securely locked except when persons or land vehicles are entering or exiting the protected area under the direct visual surveillance of a nuclear security officer.

Unobstructed areas

62 (1) Both sides of the physical barrier referred to in subsection 61(1) must be bordered by an unobstructed area that is free from any structures, equipment or other obstructions and is large enough to allow for the unrestricted observation of the movement of any person or object within the area.

Lighting

(2) An unobstructed area must be continuously and uniformly illuminated at an intensity that allows the presence of any person or object within the area to be clearly observed and assessed.

Vehicle and vessel barriers

63 The perimeter of a protected area must be protected by a nuclear security measure that is designed to protect against the forced entry of land vehicles — and, if the protected area is adjacent to a body of water, vessels — into the protected area.

Vital Areas

Identification process

64 A licensee must establish a process to identify vital areas and keep a record that sets out that process.

Nuclear security measures

65 (1) A vital area must be protected by nuclear security measures that

(a) are in addition to those used to protect the protected area;
(b) control access to the vital area;
(c) detect unauthorized access to the vital area;
(d) delay adversaries who are described in the design basis threat or the threat and risk assessment long enough to ensure that an effective intervention can be made;
(e) triggers a continuous alarm that is audible and visible in the central alarm station in the event that an unattended point of entry or exit is opened and that can only be shut off from inside the station by a central alarm station operator; and
(f) are monitored to ensure that any tampering or attempted tampering with the measures is detected and assessed.

Means of entry or exit

(2) Each gate, door, window or other means of entry or exit in a vital area must be securely locked when it is unattended.

List of persons

66 A licensee must keep an up-to-date list of all persons who have access to keys, keycards or any other system, including a computer system, that controls access to a vital area.

Inner Area

Enclosed structure

67 (1) An inner area must be within an enclosed structure that is

(a) located at least 5 m away from every point in the physical barrier that encloses the protected area; and
(b) designed and constructed to prevent a person who has gained unauthorized access to Category I nuclear material from removing the material from the inner area before an effective intervention can be made.

Means of entry or exit

(2) Each gate, door, window or other means of entry or exit in the enclosed structure must be kept closed and securely locked with a device that can only be unlocked from outside the structure by two persons who are authorized under subsection 52(1), with each of them simultaneously using a means of access control.

Nuclear security measures

68 (1) An inner area must be

(a) protected by the following nuclear security measures that are in addition to those used to protect the protected area:
- (i) two or more independent nuclear security measures that detect intrusion into, and unauthorized movement within and out of, the inner area,
- (ii) a nuclear security measure that detects any tampering or attempted tampering that may cause any of the measures referred to in subparagraph (i) or (v) to malfunction or cease to function,
- (iii) a nuclear security measure that, when an event referred to in subparagraph (i) or (ii) is detected, triggers the following continuous and independent alarms:
  - (A) an alarm that is audible and visible in the central alarm station and that can only be shut off from inside the station by a central alarm station operator, and
  - (B) an alarm that is audible and visible in at least one other attended place outside the inner area and that can only be shut off from that place by a person who is authorized under subsection 52(1),
- (iv) two or more independent nuclear security measures that facilitate an immediate assessment of the cause of an alarm, and
- (v) a nuclear security measure that detects the unauthorized removal of Category I nuclear material, Category II nuclear material or Category III nuclear material from the inner area; or
(b) kept under the direct visual surveillance of a nuclear security officer who is equipped with
- (i) a device that enables communication with the central alarm station, and
- (ii) a device that can trigger a continuous alarm that is audible and visible in the central alarm station and in at least one other attended place outside of the inner area and that can only be shut off from inside the station by a central alarm station operator or from that other place by a person who is authorized under subsection 52(1).

Access control

(2) An inner area must be protected by nuclear security measures that

(a) control access to the area;
(b) record each attempt to access the area and verify the identity of each authorized person who enters the area; and
(c) are monitored to ensure that any tampering or attempted tampering with the measures is detected and assessed.

Access Control

Prohibitions

Unauthorized persons

69 (1) A licensee must not permit an unauthorized person to enter or remain in

(a) a protected area;
(b) a vital area; or
(c) an inner area.

Access without required escort

(2) The licensee must not permit a person who has been granted an authorization to enter or remain in a protected area, vital area or inner area with escort to enter or remain in that area unless they are escorted in accordance with that authorization.

Reporting unauthorized person

70 If a person observes anyone in a protected area, vital area or inner area whom they believe on reasonable grounds is not authorized to be in that area, they must immediately report that fact to a nuclear security officer.

Weapons, explosive substances and threat items

71 A licensee must ensure that

(a) weapons are not taken into a protected area or inner area unless they are under the control of a peace officer, nuclear security officer or a member of an on-site nuclear response force or off-site response force who requires access to the area for the purpose of carrying out their duties;
(b) explosive substances are not taken into a protected area or inner area unless
- (i) they are under the control of a peace officer, nuclear security officer or a member of an on-site nuclear response force or off-site response force who requires access to the area for the purpose of carrying out their duties; or
- (ii) they are necessary for an operational requirement and are under the control of a person who is authorized by the licensee and escorted at all times by a nuclear security officer; and
(c) threat items are not taken into a protected area or inner area unless they are necessary for an operational requirement.

Removal of nuclear material

72 (1) A licensee must ensure that Category I nuclear material, Category II nuclear material or Category III nuclear material is not removed from a protected area or inner area except in accordance with a licence.

Vital area

(2) A licensee must ensure that Category I nuclear material, Category II nuclear material or Category III nuclear material is not removed from a vital area without its authorization.

Prohibited activities

73 A person must not

(a) take any weapons into a protected area or inner area unless they are under the control of a peace officer, nuclear security officer or a member of an on-site nuclear response force or an off-site response force who requires access to the area for the purpose of carrying out their duties;
(b) take any explosive substance into a protected area or an inner area unless
- (i) they are a peace officer, nuclear security officer or a member of an on-site nuclear response force or off-site response force who requires access to the area for the purpose of carrying out their duties, or
- (ii) they are authorized to do so by the licensee and escorted at all times by a nuclear security officer and the explosive substance is necessary for an operational requirement;
(c) take threat items into a protected area or inner area unless they are necessary for an operational requirement; or
(d) remove any Category I nuclear material, Category II nuclear material or Category III nuclear material from a protected area, vital area or inner area without the authorization of the licensee.

Identity Verification

Protected area

74 Before a person who has been granted an authorization under section 49 enters a protected area, the licensee must verify their identity by two separate personnel identity verification systems, one of which must use biometric information.

Vital area

75 The licensee must verify and record the identity of every person who enters a vital area.

Vehicle Access

Land vehicles

76 A licensee must not permit a land vehicle to enter a protected area, vital area or inner area unless there is an operational requirement for it to be in that area.

Vehicle access

77 (1) A licensee must ensure that land vehicles only enter into or exit from a protected area through a vehicle portal or, if necessary for an operational requirement, through an opening with two moveable barriers.

Both barriers not to be open

(2) Both moveable barriers of a vehicle portal or opening must not be open at the same time except in the event of an emergency or if it is necessary to do so for an operational requirement.

When both barriers are open

(3) When both moveable barriers of a vehicle portal or opening are open at the same time, the vehicle portal or opening, as the case may be, must be

(a) attended by at least one nuclear security officer who is equipped with a land vehicle; or
(b) protected by other nuclear security measures that prevent unauthorized access to the protected area.

Inner Area Access

Means of entry or exit

78 (1) A licensee must not permit a gate, door, window or other means of entry or exit in the structure that encloses an inner area to be unlocked, opened or kept open except for the period of time necessary to allow for the passage of persons or items into or out of the area or for the completion of an operational requirement.

Direct visual surveillance

(2) While the means of entry or exit is unlocked, opened or kept open, the licensee must ensure that it is under the direct visual surveillance of a nuclear security officer who is dedicated exclusively to that task.

Unlocked from outside

(3) A licensee must not permit a gate, door, window or other means of entry or exit in the structure that encloses an inner area to be unlocked from the outside unless it is unlocked by two persons who are authorized to enter the inner area, at least one of whom is a nuclear security officer.

Person must be accompanied

79 A person who is authorized under subsection 52(1) to enter and remain in an inner area must not enter the area unless they are accompanied by another person who is authorized to do so under that subsection and they remain in visual contact with that other person.

Searches

Signage for high-security site

80 (1) A licensee must post, in close proximity to the location at which the search of persons is conducted, signage that is visible to any person who is about to enter a high-security site that states, in English and French, that all persons entering and exiting the site and everything in their possession, including any land vehicle, are

(a) on entering the site, subject to search by a nuclear security officer — using any necessary screening and detection devices — for weapons, explosive substances, threat items and, in the case of a land vehicle, unauthorized persons; and
(b) on exiting the site, subject to search by a nuclear security officer for Category I nuclear material, Category II nuclear material and Category III nuclear material using devices capable of detecting that material.

Signage for protected area and inner area

(2) A licensee must post, in close proximity to the location at which the search of persons is conducted, signage that is visible to any person who is about to enter a protected area or inner area that states, in English and French, that all persons entering and exiting the area and everything in their possession, including any land vehicle, are

(a) on entering the area, subject to search by a nuclear security officer — using any necessary screening and detection devices — for weapons, explosive substances, threat items and, in the case of a land vehicle, unauthorized persons; and
(b) on exiting the area, subject to search by a nuclear security officer for Category I nuclear material, Category II nuclear material and Category III nuclear material using devices capable of detecting that material.

Search on entry

81 (1) Subject to subsection (3), a licensee must not permit any person to enter a protected area or inner area unless the person and everything in their possession, including any land vehicle, are searched by a nuclear security officer — using any necessary detection and screening devices — for weapons, explosive substances, threat items and, in the case of a land vehicle, unauthorized persons.

Search on exit

(2) Subject to subsection (3), a licensee must ensure that all persons exiting a protected area or inner area and everything in their possession, including any land vehicle, are searched by a nuclear safety officer for Category I nuclear material, Category II nuclear material and Category III nuclear material using devices capable of detecting that material.

Exceptions

(3) The following persons are not subject to a search under subsection (1) or (2):

(a) a nuclear security officer whose identity has been verified in accordance with section 74 and who requires access to or egress from the protected area or inner area for the purposes of carrying out their duties; and
(b) a person who, if they were granted an authorization to enter the area with an escort, is or was escorted in accordance with that authorization and who establishes to a nuclear security officer — by presentation of identification or other evidence — that they are a member of the off-site response force, a peace officer or a member of an emergency service who requires access to or egress from the protected area or inner area for the purpose of carrying out their duties.

Search after entry

(4) If the licensee has reasonable grounds to suspect that a person who is in a protected area or inner area has any of the following items in their possession, the licensee must not permit the person to remain in that area unless the person and everything in their possession, including a land vehicle, is searched for those items:

(a) weapons or explosive substances that are not under the control of a nuclear security officer or a member of an on-site nuclear response force or off-site response force;
(b) threat items that are not necessary for an operational requirement; or
(c) Category I nuclear material, Category II nuclear material or Category III nuclear material that is being removed from the area without the authorization of the licensee.

Conduct of search

(5) A search of a person that is conducted under this section must be

(a) a non-intrusive search carried out by means of a hand-held scanner, a walk-through scanner equipped with a metal detector or any similar device; or
(b) a frisk search carried out by a person of the same sex as the person being searched and extending from head to foot, down the front and rear of the body, around the legs and inside clothing folds, pockets and footwear, if a nuclear security officer determines that it is necessary in order to maintain security.

Search of land vehicle

(6) If the high-security site is equipped with a vehicle portal, a search of a land vehicle that is conducted under this section must take place in the vehicle portal.

Prohibition

82 A person who refuses to submit to a search to which they are subject under section 81 must not enter a protected area or inner area.

PART 3
Other Nuclear Facilities

Definition

Definition of licensee

83 In this Part, licensee means a person who, in relation to a nuclear facility referred to in paragraph 3(c) of these Regulations, is licensed under the Act to

(a) carry out an activity described in any of paragraphs 26(a), (e) or (f) of the Act; or
(b) produce, refine, convert, enrich, process, reprocess, manage, store or dispose of a nuclear substance.

Application

Application of Part

84 This Part applies in respect of the nuclear facilities referred to in paragraph 3(c).

Facility-access Security Clearance

Conditions

85 (1) A licensee may grant a facility-access security clearance to a person if

(a) it determines, after verifying the information and documents referred to in subsection (2), that the person does not pose an unreasonable risk to the health or safety of persons or the security of the nuclear facility; or
(b) it verifies that the person holds
- (i) a valid facility-access security clearance, a high-security site access clearance or an enhanced security clearance granted by another licensee, or
- (ii) a valid reliability status or a secret or top secret clearance granted under the Directive on Security Screening.

Verification of information and documents

(2) For the purpose of paragraph (1)(a), the licensee must verify the following information and documents in respect of the person who is seeking the facility-access security clearance:

(a) two pieces of valid government-issued identification, one of which must be photo identification;
(b) a record that sets out the results of any criminal record check, such as a check that is fingerprint-based; and
(c) their personal history for the last five years, composed of their educational history, professional qualifications, employment history and character references, but if their history cannot be established for that period, information relating to their trustworthiness, including, if available, the results of a criminal record check from each country in which they have resided for one or more years in the last five years.

Period and conditions

(3) A facility-access security clearance may be granted for a term not exceeding 10 years and must be subject to any terms and conditions that are necessary to minimize the risk to the security of the nuclear facility.

Record and notice

(4) A licensee that grants a facility-access security clearance under paragraph (1)(b) must keep a record indicating how it verified that the person holds a status or clearance, as the case may be, referred to in that paragraph.

List of persons

86 (1) A licensee must keep an up-to-date list of the persons to whom a facility-access security clearance has been granted.

List to be provided

(2) The licensee must, on request, provide a copy of the list to the Commission or an inspector.

Revocation

87 (1) A licensee must revoke a person’s facility-access security clearance if

(a) the licensee concludes, based on an investigation, that the person poses or could pose an unreasonable risk to the health or safety of persons or the security of the nuclear facility;
(b) the person is no longer employed by or otherwise under contract to the licensee;
(c) the person’s duties have been completed, suspended or otherwise terminated;
(d) the person no longer requires the clearance to carry out their duties; or
(e) the person provided false or misleading information to obtain the clearance.

Commission to be notified

(2) The licensee must notify the Commission in writing of any revocation made under paragraph (1)(a) or (e) within five business days after the day on which the revocation is made.

Access Control

Access to Nuclear Facility

Entering or remaining in nuclear facility

88 (1) A person must not enter or remain in a nuclear facility at which a licensee carries out licensed activities unless they

(a) have a facility-access security clearance that is granted in respect of that facility by the licensee;
(b) are escorted at all times by a person who has such a clearance; or
(c) are an inspector who is designated to carry out inspections at nuclear facilities or a person who is chosen by the inspector to accompany them under section 33 of the Act.

Escort not required

(2) Despite paragraph (1)(b), a member of the off-site response force, a peace officer or a member of an emergency service is not required to be escorted if there is an emergency at the facility and they require access to it for the purpose of carrying out their duties.

Licensee’s obligation

89 (1) A licensee must ensure that every person who enters or remains in a nuclear facility at which it carries on licensed activities is permitted to do so under subsection 88(1).

Identity verification

(2) The licensee must establish and implement a process that controls access to the nuclear facility and that ensures that the identity of each person who enters the facility, other than one referred to in paragraph 88(1)(c), is verified by,

(a) in the case of a person who has a facility-access security clearance for that facility, presentation of proof of their clearance and use of a device that is capable of verifying their identity;
(b) in the case of any other person who is 18 years of age or over, presentation of two pieces of valid government-issued identification, one of which must be photo identification; and
(c) in the case of a person who is under the age of 18, presentation of documentary proof of their name and address.

Weapons, explosive substances and threat items

90 A licensee must ensure that

(a) weapons are not taken into a nuclear facility unless they are under the control of a peace officer or member of the off-site response force who requires access to the nuclear facility for the purpose of carrying out their duties;
(b) explosive substances are not taken into a nuclear facility unless
- (i) they are under the control of a peace officer or member of the off-site response force who requires access to the nuclear facility for the purpose of carrying out their duties; or
- (ii) they are necessary for an operational requirement and they are under the control of a person who is authorized by the licensee and kept under the direct visual surveillance of a person authorized by the licensee; and
(c) threat items are not taken into a nuclear facility unless they are necessary for an operational requirement.

Prohibited activities

91 A person must not

(a) take any weapon into a nuclear facility unless they are a peace officer or a member of the off-site response force who requires access to the nuclear facility for the purpose of carrying out their duties;
(b) take any explosive substance into a nuclear facility unless
- (i) they are a peace officer or a member of the off-site response force who requires access to the nuclear facility for the purpose of carrying out their duties, or
- (ii) they are authorized to do so by the licensee and placed under the direct visual surveillance of a person authorized by the licensee and the explosive substance is necessary for an operational requirement;
(c) take any threat item into a nuclear facility unless it is necessary for an operational requirement; or
(d) remove any nuclear substance from a nuclear facility without the authorization of the licensee.

Entry of land vehicles

92 (1) A licensee must not permit a land vehicle to enter a nuclear facility at which the licensee carries on a licensed activity unless

(a) the land vehicle is searched for explosive substances, weapons, threat items and unauthorized persons; and
(b) there is an operational requirement for the vehicle to be there or it is used by a member of the off-site response force, a peace officer or a member of an emergency service for the purpose of carrying out their duties.

Exception

(2) Despite paragraph (1)(a), a vehicle that is used by a security guard, a member of the off-site response force, a peace officer or a member of an emergency service is not required to be searched if there is an emergency at the nuclear facility and the use of the vehicle is necessary to carry out their duties.

Searches and Screening

Signage

93 A licensee must post, in close proximity to the location at which the search and screening of persons is conducted, signage that is visible to any person who is about to enter the nuclear facility that states, in English and French, that

(a) persons entering and exiting the facility may be subject to search or screening for explosive substances, weapons, threat items or nuclear substances; and
(b) the licensee must not allow any person who has been selected for search or screening to enter the facility unless that person and everything in their possession, including any land vehicle, is searched or screened.

Processes for search or screening

94 (1) A licensee must implement processes that, using a risk-based approach, provide for the manner of selecting the persons who are to be searched or screened, respectively,

(a) on entering a nuclear facility, for explosive substances, weapons and threat items; and
(b) on exiting a nuclear facility, for nuclear substances.

Entry search or screening

(2) The licensee must not permit any person who is selected for search or screening to enter the nuclear facility unless the person and everything in their possession, including any land vehicle, is searched or screened.

Conduct of search or screening

95 A search or screening referred to in section 94 must be carried out by a person who is authorized to do so by the licensee and must be

(a) a non-intrusive search or screening that is carried out by means of a hand-held scanner, a walk-through scanner equipped with a metal detector or any similar device; or
(b) a frisk search carried out by a person of the same sex as the person being searched and extending from head to foot, down the front and rear of the body, around the legs and inside clothing folds, pockets and footwear, if a security guard or other person authorized by the licensee determines that it is necessary in order to maintain security.

Security Exercise

Security exercise

96 (1) A licensee must, in cooperation with the off-site response force, at least once every five years, conduct a security exercise that tests

(a) the ability of selected elements of the contingency plan and selected nuclear security measures to ensure that an effective intervention can be made against, taking into account the threats identified in the threat and risk assessment; and
(b) the readiness of the off-site response force and any security guards to respond to those threats.

Notice to Commission

(2) The licensee must notify the Commission in writing of its intent to conduct a security exercise at least four months before the day on which the exercise is to be held.

Record to be kept

(3) The licensee must, for each security exercise that it conducts, keep a record that contains

(a) an outline of the exercise scenario;
(b) an evaluation of the effectiveness of the elements of the contingency plan and the nuclear security measures that were tested and the readiness of the off-site response force and, if any, the security guards; and
(c) a description of any corrective actions that, taking the evaluation into account, are necessary.

Corrective action plan

(4) If a corrective action referred to in paragraph (3)(c) is to be implemented using a phased approach, the licensee must create a corrective action plan that sets out

(a) the reasons for the corrective action;
(b) a rationale for the phased approach; and
(c) a timetable that sets out when each phase of the plan will be completed.

Corrective actions

(5) The licensee must implement the corrective actions and, if they are to be implemented using a phased approach, each phase must be completed in accordance with the timetable set out in the corrective action plan.

Records to be provided

(6) The licensee must, within 90 days after the day on which the security exercise is completed, provide to the Commission a copy of the record referred to in subsection (3) and, if any, a copy of the corrective action plan referred to in subsection (4).

PART 4
Licence to Transport

Definition of licensee

97 In this Part, licensee means a person who is licensed to transport Category I nuclear material, Category II nuclear material or Category III nuclear material.

Application

98 This Part applies in respect of the transport of Category I nuclear material, Category II nuclear material or Category III nuclear material.

Exemption

99 (1) A person may, without a licence to carry on that activity, transport Category I nuclear material, Category II nuclear material or Category III nuclear material within an area in which the material is required by sections 19 to 21 to be produced, processed, used or stored.

Section 26 of Act

(2) For greater certainty, the exemption established under subsection (1) relates only to the activity specified in that subsection and does affect the licence requirement imposed by section 26 of the Act in relation to other activities.

Transport security plan

100 An application for a licence to transport Category I nuclear material, Category II nuclear material or Category III nuclear material must contain, in addition to the information required under section 7 of the Packaging and Transport of Nuclear Substances Regulations, 2015, a transport security plan that includes

(a) the name, quantity, radiation level in Gy/h, chemical and physical characteristics and isotopic composition of the nuclear material;
(b) a threat and risk assessment;
(c) a description of the conveyance and, if any, the escort arrangements;
(d) the proposed security measures;
(e) a description of how the applicant will evaluate and improve the security measures, including the proposed scheduling of security exercises;
(f) the planned route and at least one alternate route;
(g) the tracking and communication arrangements made among the applicant, the operator of the land vehicle transporting the nuclear material, the recipient of the material and any off-site response force throughout the transport; and
(h) the arrangements made between the applicant and any off-site response force throughout the transport.

Security exercise

101 (1) The licensee must conduct a security exercise in respect of the transport of Category I nuclear material, Category II nuclear material and Category III nuclear material at least once every five years.

Record to be kept

(2) The licensee must, for each security exercise that it conducts, keep a record that contains

(a) an outline of the exercise scenario;
(b) an evaluation of the effectiveness of the security measures that were tested; and
(c) a description of any corrective actions that, taking the evaluation into account, are necessary.

Corrective action plan

(3) If a corrective action referred to in paragraph (2)(c) is to be implemented using a phased approach, the licensee must create a corrective action plan that sets out

(a) the reasons for the corrective action;
(b) a rationale for the phased approach; and
(c) a timetable that sets out when each phase of the plan will be completed.

Corrective actions

(4) The licensee must implement the corrective actions and, if they are to be implemented using a phased approach, each phase must be completed in accordance with the timetable set out in the corrective action plan.

Records to be provided

(5) The licensee must, within 90 days after the day on which the security exercise is completed, provide to the Commission a copy of the record referred to in subsection (2) and, if any, a copy of the corrective action plan referred to in subsection (3).

PART 5
Consequential Amendments, Transitional Provisions, Repeal and Coming into Force

Consequential Amendments

Class I Nuclear Facilities Regulations

102 Paragraph 3(i) of the Class I Nuclear Facilities Regulations ^{footnote 1} is replaced by the following:

(i) if the application is in respect of a nuclear facility referred to in paragraph 3(b) of the Nuclear Security Regulations, the information and documents required by sections 4 and 27 of those Regulations;

Nuclear Substances and Radiation Devices Regulations

103 Subparagraph 3(1)(n)(ii) of the Nuclear Substances and Radiation Devices Regulations ^{footnote 2} is replaced by the following:

(ii) the information required by section 4 of the Nuclear Security Regulations and, if applicable, section 27 of those Regulations;

Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission)

104 Part 9 of the schedule to the Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission) ^{footnote 3} is replaced by the following:

PART 9

Nuclear Security Regulations
Item	Column 1 Provision	Column 2 Short-form Description	Column 3 Category
1	5(1)	Failure to review and update nuclear security plan at the specified interval	B
2	5(2)	Failure to provide copy of updated nuclear security plan to Commission before implementation	B
3	6(1)	Failure to conduct threat and risk assessment at the specified interval	B
4	6(2)(a)	Failure to review threat and risk assessment as required	B
5	6(2)(b)	Failure to update threat and risk assessment as required	B
6	6(2)(c)	Failure to update nuclear security plan as required	B
7	6(3)	Failure to make necessary modifications to the nuclear security system	B
8	6(4)	Failure to keep record of results and updates of each threat and risk assessment	A
9	6(5)(a)	Failure to provide records to Commission on request	B
10	6(5)(b)	Failure to provide record of results of threat and risk assessment or an update to Commission within prescribed time	B
11	7	Failure to implement nuclear security measures that ensure effective intervention can be made	B
12	8	Failure to develop and implement training program	B
13	9(1)	Failure to implement measures to promote and support security culture	B
14	9(2)	Failure to keep record of measures implemented to promote and support security culture	A
15	10(1)	Failure to ensure that measures and activities are designed and implemented as required and ensure that measures do not compromise the environment, the health or safety of persons or the security of the nuclear facility	B
16	10(2)	Failure to establish, implement and maintain required process regarding conflict and coordination of nuclear security measures	B
17	10(3)	Failure to keep record setting out the process regarding conflict and coordination of nuclear security measures	A
18	11(1)	Failure to immediately implement required compensatory measures when critical security measure is degraded, inoperative or compromised	B
19	11(2)	Failure to keep record setting out process for implementing compensatory measures and record indicating implementation of compensatory measures	A
20	12(a)	Failure to replace or restore functioning of degraded, inoperative or compromised device as soon as feasible	A
21	12(b)	Failure to determine how device became degraded, inoperative or compromised	A
22	13(1)	Failure to ensure security guards are trained and qualified	B
23	13(2)	Failure to keep record of security guard training and proof of their qualifications	A
24	14(1)	Failure to make written arrangements with off-site response force that, alone on in conjunction with on-site nuclear response force, is capable of making an effective intervention	B
25	14(2)	Failure to provide for specified matters in written arrangements with off-site response force	B
26	14(3)	Failure to have written arrangements signed as required	A
27	15(1)	Failure to have alarm-monitoring capability or make arrangements with an alarm-monitoring service	B
28	15(2)	Failure to provide for notification procedure in arrangements with alarm-monitoring service	B
29	16(1)	Failure to implement and maintain cyber security program	C
30	16(2)	Failure to protect computer systems and electronic components against cyber security threats as required	B
31	17(1)	Failure to protect specified sensitive information as required	B
32	17(2)	Failure to implement nuclear security measures to protect the confidentiality, integrity and availability of specified sensitive information as required	B
33	17(3)	Permitting person to access sensitive information who does not require access to carry out their duties	B
34	18	Failure to implement measures to protect, as required, information for identity verification or in relation to a clearance or authorization	B
35	19	Producing, processing, using or storing Category I nuclear material in place other than inner area	C
36	20	Producing, processing, using or storing Category II nuclear material in place other than protected area	C
37	21	Producing, processing, using or storing Category III nuclear material in place other than protected area or any other area that meets prescribed requirements	B
38	22(1)	Producing, processing, using or storing specified nuclear substance in place other than area that meets prescribed requirements	B
39	22(2)(a)	Failure to maintain list of persons who are authorized to access the area	B
40	22(2)(b)	Permitting unauthorized persons to access the area	B
41	22(2)(c)	Failure to implement required measures	B
42	23	Failure to ensure nuclear substance is not removed from nuclear facility except in accordance with licence	B
43	24(1)(a)	Failure to determine reason for unauthorized removal of nuclear substance from nuclear facility	A
44	24(1)(b)	Failure to assess and immediately respond to unauthorized removal of nuclear substance	B
45	24(2)	Failure to keep record setting out process respecting unauthorized removal of nuclear substances	A
46	29(1)	Failure to design nuclear security system taking into account the specified threats, evaluate that system or modify the system as necessary	B
47	29(2)	Failure to implement nuclear security measures that ensure effective intervention can be made, taking into account the specified threats	B
48	29(3)	Failure to keep record that sets out required processes	A
49	30(1)	Failure to provide sufficient number of nuclear security officers to carry out the specified duties	C
50	30(2)	Failure to keep record of nuclear security officers’ duties and to give copy of it to nuclear security officer	A
51	31	Failure to provide each nuclear security officer with necessary equipment, devices and apparel	B
52	32(1)	Failure to ensure nuclear security officer only carries out duties for which they have the necessary training, knowledge and skill and for which they are qualified	B
53	32(2)	Failure to ensure each nuclear security officer participates in continuing training program that includes the specified training	B
54	32(3)	Failure to keep record of training received by each nuclear security officer	B
55	33	Failure to keep records containing required information regarding nuclear security officers who are required to carry a firearm	A
56	34(1)	Failure to maintain on-site nuclear response force with required capability	C
57	34(3)	Failure to ensure that nuclear security officers who are members of on-site nuclear response force are authorized to carry firearms in Canada and trained and qualified to use them	C
58	34(4)	Failure to provide nuclear security officers who are members of on-site nuclear response force with necessary equipment, devices and apparel	C
59	35	Failure to provide for specified matters in the written in arrangements with off-site response force	B
60	36	Failure to develop and maintain contingency plan to ensure effective intervention can be made, taking into account the specified threats	B
61	37(1)	Failure to implement required security drill and security exercise program	B
62	37(2)	Failure to update the security drill and security exercise program as required	B
63	38(1)	Failure to conduct security drill at the specified interval	B
64	38(2)	Failure to ensure that specified nuclear security officers participate in a security drill at the specified interval	B
65	39(1)	Failure to conduct security exercise as required at the specified interval	B
66	39(2)	Failure to notify Commission in writing within prescribed time of intent to conduct security exercise	B
67	40(1)	Failure to keep record containing the required information regarding each security drill and security exercise	B
68	40(2)	Failure to provide copy of required record to Commission within prescribed time	B
69	41(1)	Failure to create required corrective action plan setting out the required information	B
70	41(2)	Failure to implement corrective actions as required	B
71	41(3)	Failure to provide copy of corrective action plan to Commission within the prescribed period	A
72	42(1)	Failure to ensure that specified nuclear security measures are monitored from a central alarm station	B
73	42(2)(a)	Central alarm station not located outside of a vital area or inner area	B
74	42(2)(b)	Central alarm station not designed, constructed and located as required	B
75	42(2)(c)	Central alarm station not attended at all times by at least one central alarm station operator	B
76	42(2)(d)	Central alarm station not designed to prevent solitary central alarm station operator from tampering with or, compromising nuclear security measure or disabling it without authorization	B
77	42(2)(e)	Central alarm station not equipped as required with respect to alarms received in the station	B
78	42(2)(f)	Central alarm station not equipped with required devices	B
79	42(3)	Permitting person to enter central alarm station who does not need to enter to perform their duties	B
80	42(4)	Failure to implement specified processes	B
81	43(1)(a)	Failure to establish backup alarm station that is independent from the central alarm station	B
82	43(1)(b)	Failure to establish backup alarm station that is designed and equipped as required	B
83	43(2)	Failure to ensure backup alarm station operated only by security personnel with required training	B
84	43(3)	Permitting person to enter backup alarm station who does not need to enter to perform their duties	B
85	43(4)	Failure to implement required processes	B
86	43(5)	Failure to test backup alarm station at specified interval	B
87	44(1)	Granting high-security site access clearance without meeting prescribed conditions	C
88	44(4)	Granting high-security site access clearance for term exceeding 10 years or not subject to necessary terms and conditions	B
89	44(5)	Failure to keep record indicating how clearance was verified	A
90	45(1)	Granting enhanced security clearance without meeting prescribed conditions	C
91	45(3)	Granting enhanced security clearance for term exceeding five years or not subject to necessary terms and conditions	B
92	46(1)	Failure to keep up-to-date list of each person granted a clearance and that identifies their clearance	B
93	46(2)	Failure to provide copy of list to Commission or inspector on request	B
94	47(1)(a)	Failure to revoke high-security site access clearance or enhanced security clearance of person who poses or could pose unreasonable risk to health or safety of persons or security of the site	B
95	47(1)(b)	Failure to revoke high-security site access clearance or enhanced security clearance of person who is no longer employed by or under contract to the licensee	B
96	47(1)(c)	Failure to revoke high-security site access clearance or enhanced security clearance of person whose duties or functions have been completed, suspended or otherwise terminated	B
97	47(1)(d)	Failure to revoke high-security site access clearance or enhanced security clearance of person who no longer requires it to perform their duties	B
98	47(1)(e)	Failure to revoke high-security site access clearance or enhanced security clearance of person who provided false or misleading information	B
99	47(2)	Failure to notify Commission in writing of revocation of high-security site access clearance or enhanced security clearance as required within prescribed time	B
100	49(1)	Entering or remaining in protected area without required clearance and authorization and any required escort	B
101	49(2)	Granting authorization to enter and remain in protected area without escort without meeting prescribed conditions	B
102	49(3)	Granting authorization to enter and remain in protected area with escort without meeting prescribed conditions	B
103	49(4)	Granting authorization to enter and remain in protected area without escort for term exceeding 10 years	B
104	49(5)	Granting authorization to enter and remain in protected area not subject to necessary terms and conditions	B
105	49(6)	Failure to provide copy of requested information or documents	B
106	50	Entering or remaining in vital area without required authorization and any required escort	B
107	51	Entering or remaining in inner area without required authorization and being accompanied or escorted as required	B
108	52(1)	Granting authorization to enter and remain in vital area or inner area without escort without meeting prescribed conditions	B
109	52(2)	Granting authorization to enter and remain in vital area or inner area with escort without meeting prescribed conditions	C
110	52(3)	Granting authorization to enter and remain in vital area or inner area without escort for term exceeding five years	B
111	52(4)	Granting authorization to enter and remain in vital area or inner area not subject to necessary terms and conditions	B
112	52(5)	Failure to provide copy of requested information or documents	B
113	53(1)	Failure to keep record that sets out required information for each person who is authorized to enter protected area, vital area or inner area	B
114	53(2)	Failure to retain record for specified period	B
115	53(3)	Failure to provide copy of record to Commission or inspector on request	B
116	53(4)	Failure to make copy of record available to nuclear security officers	B
117	54	Permitting person who does not have enhanced security clearance to carry out duties or responsibilities of security personnel or related to nuclear security intelligence	B
118	55(1)	Acting as nuclear security officer without written authorization of licensee	B
119	55(2)	Granting authorization to act as nuclear security officer without meeting prescribed conditions	B
120	55(3)	Granting authorization to act as nuclear security officer without assessing person’s knowledge as required	B
121	55(4)	Granting authorization to act as nuclear security officer for term exceeding five years or not subject to necessary terms and conditions	B
122	55(5)	Failure to provide copy of requested information or documents	A
123	56(1)	Acting as nuclear security support person without required authorization and any required escort	B
124	56(2)	Granting authorization to act as nuclear security support person without escort without meeting prescribed condition	B
125	56(3)	Granting authorization to act as nuclear security support person with escort without obtaining specified information and documents	B
126	56(4)	Failure to include required conditions in authorization to act as nuclear security support person	B
127	56(5)	Granting authorization to act as nuclear security support person without escort for term exceeding five years	B
128	56(6)	Granting authorization to as nuclear security support person not subject to necessary terms and conditions	B
129	56(7)	Failure to provide copy of requested information or documents	A
130	57(1)	Acting as central alarm station operator without written authorization of the licensee	B
131	57(2)	Granting authorization to act as central alarm station operator without meeting prescribed requirements	B
132	57(3)	Granting authorization to act as central alarm station operator for term exceeding five years or not subject to necessary terms and conditions	B
133	57(4)	Failure to provide copy of requested information or documents	A
134	58(1)	Failure to keep up-to-date list of each person granted a specified authorization and that identifies that authorization	B
135	58(2)	Failure to provide copy of record to Commission or inspector on request	B
136	59(1)(a)	Failure to revoke authorization of person who poses or could pose an unreasonable risk to health or safety of persons or security of the high-security site	B
137	59(1)(b)	Failure to revoke authorization of person who is no longer employed by or under contract to the licensee	B
138	59(1)(c)	Failure to revoke authorization of person whose duties or functions have been completed, suspended or otherwise terminated	B
139	59(1)(d)	Failure to revoke authorization of person who no longer requires it to perform their duties	B
140	59(1)(e)	Failure to revoke authorization of person who provided false or misleading information	B
141	59(2)	Failure to notify Commission in writing of revocation of authorization as required within prescribed time	B
142	60	Failure to equip high-security site with devices that provide uninterrupted power supply for critical security measures	B
143	61(1)	Failure to enclose protected area with physical barrier at perimeter	B
144	61(2)	Failure to protect perimeter of protected area with required nuclear security measures or by keeping it under direct visual surveillance of nuclear security officer	B
145	61(3)	Failure to design and construct physical barrier and design and implement nuclear security measures such that they together provide sufficient time and reduce risk as required	B
146	61(5)(a)	Failure to construct means of entry or exit so that it can be closed and securely locked	B
147	61(5)(b)	Failure to keep means of entry or exit closed and securely locked except in specified circumstances	B
148	62(1)	Failure to have unobstructed area on both sides of physical barrier as required	B
149	62(2)	Failure to illuminate unobstructed area as required	B
150	63	Failure to protect perimeter of protected area with required nuclear security measure	B
151	64	Failure to establish process to identify vital areas and keep required record	B
152	65(1)(a)	Failure to protect vital area with nuclear security measures that are in addition to those used to protect the protected area	B
153	65(1)(b)	Failure to protect vital area with nuclear security measures that provide access control for the area	B
154	65(1)(c)	Failure to protect vital area with nuclear security measures that provide for detection of unauthorized access to the area	B
155	65(1)(d)	Failure to protect vital area with nuclear security measures that delay adversaries as required	B
156	65(1)(e)	Failure to protect vital area with nuclear security measures that triggers the specified alarm	B
157	65(1)(f)	Failure to protect vital area with nuclear security measures that are monitored as required	B
158	65(2)	Failure to securely lock means of entry or exit in vital area	B
159	66	Failure to keep up-to-date list of persons as specified	B
160	67(1)	Failure to enclose inner area with structure as required	B
161	67(2)	Failure to keep means of entry or exit closed and securely locked with required device	B
162	68(1)	Failure to protect inner area with required nuclear security measures or by keeping it under direct visual surveillance of nuclear security officer	B
163	68(2)	Failure to protect inner area with required nuclear security measures	B
164	69(1)(a)	Permitting unauthorized person to enter or remain in protected area	B
165	69(1)(b)	Permitting unauthorized person to enter or remain in vital area	C
166	69(1)(c)	Permitting unauthorized person to enter or remain in inner area	B
167	69(2)	Permit person who requires escort to enter and remain in protected area or inner area without escort	B
168	70	Failure to immediately report unauthorized person to nuclear security officer	B
169	71(a)	Failure to ensure that weapons are only taken into protected area or inner area in specified circumstances	B
170	71(b)	Failure to ensure that explosive substances are only taken into protected area or inner area in specified circumstances	B
171	71(c)	Failure to ensure that threat items are only taken into protected area or inner if they are necessary for an operational requirement	B
172	72(1)	Failure to ensure Category I, II or III nuclear material is only removed from protected area or inner area in accordance with licence	B
173	72(2)	Failure to ensure Category I, II or III nuclear material is only removed from vital area with authorization of licensee	B
174	73(a)	Taking weapon into protected area or inner area except in specified circumstances	B
175	73(b)	Taking explosive substance into protected area or inner area except in specified circumstances	B
176	73(c)	Taking threat items into protected area or inner area that are not necessary for an operational requirement	B
177	73(d)	Removing Category I, II or III nuclear material from protected area, vital area or inner area without authorization of licensee	B
178	74	Failure to verify identity of person entering protected area as required	C
179	75	Failure to verify and record identity of person entering vital area	B
180	76	Permitting land vehicle to enter protected area, vital area or inner area without operational requirement	B
181	77(1)	Failure to ensure that land vehicles only enter or exit protected area through vehicle portal or opening as required	C
182	77(2)	Failure to ensure that both moveable barriers of vehicle portal or opening are not open at same time except in specified circumstances	B
183	77(3)	Failure to ensure that vehicle portal or opening is attended or protected as required when both moveable barriers are open at the same time	B
184	78(1)	Permitting means of entry or exit in structure enclosing inner area to be unlocked, opened or kept open longer than required	B
185	78(2)	Permitting means of entry or exit in structure enclosing inner area to be unlocked, opened or kept open without direct visual surveillance of nuclear security officer	B
186	78(3)	Permitting means of entry or exit in structure or barrier enclosing inner area to be unlocked by unauthorized persons	B
187	79	Entering and remaining in inner area without being accompanied as required	B
188	80(1)	Failure to post required signage for high-security site	B
189	80(2)	Failure to post required signage for protected area or inner area	A
190	81(1)	Permitting person to enter protected area or inner area without having them and their possessions searched as required	B
191	81(2)	Failure to ensure that all persons and their possessions are searched as required when exiting protected area or inner area	B
192	81(4)	Permitting person to remain in protected area or inner area without having them and their possessions searched as required	B
193	81(5)	Failure to conduct search in accordance with requirements	B
194	81(6)	Failure to conduct search of land vehicle in vehicle portal as required	B
195	82	Entering protected area or inner area after refusing search	B
196	85(1)	Granting facility-access security clearance without meeting prescribed conditions	B
197	85(3)	Granting facility-access security clearance for term exceeding 10 years or not subject to necessary terms and conditions	B
198	85(4)	Failure to keep record indicating how the status or clearance was verified	A
199	86(1)	Failure to keep an up-to-date list of persons granted facility-access security clearance	A
200	86(2)	Failure to provide copy of list of persons to Commission or inspector on request	A
201	87(1)(a)	Failure to revoke facility-access security clearance of person who poses or could pose an unreasonable risk to health or safety of persons or security of nuclear facility	B
202	87(1)(b)	Failure to revoke facility-access security clearance of person who is no longer employed by or under contract to licensee	B
203	87(1)(c)	Failure to revoke facility-access security clearance of person whose duties or functions have been completed, suspended or otherwise terminated	B
204	87(1)(d)	Failure to revoke facility-access security clearance of person who no longer requires it to carry out their duties	B
205	87(1)(e)	Failure to revoke facility-access security clearance of person who provided false or misleading information	B
206	87(2)	Failure to notify Commission in writing of revocation of facility-access security clearance as required within prescribed time	A
207	88(1)	Entering or remaining in nuclear facility without facility-access security clearance or required escort	B
208	89(1)	Failure to ensure that every person who enters or remains in nuclear facility is permitted to do so	B
209	89(2)	Failure to establish and implement process that controls access to the nuclear facility and ensures verification of the identity of persons entering it	B
210	90(a)	Failure to ensure that weapons are only taken into nuclear facility in specified circumstances	B
211	90(b)	Failure to ensure that explosive substances are only taken into nuclear facility in specified circumstances	B
212	90(c)	Failure to ensure that threat items are only taken into nuclear facility if they are necessary for an operational requirement	B
213	91(a)	Taking weapon into nuclear facility except in specified circumstances	B
214	91(b)	Taking explosive substance into nuclear facility except in specified circumstances	B
215	91(c)	Taking threat items into nuclear facility that are not necessary for an operational requirement	B
216	91(d)	Removing nuclear substance from nuclear facility without authorization of licensee	B
217	92(1)	Permitting a land vehicle to enter a nuclear facility without meeting prescribed conditions	B
218	93	Failure to post required signage	B
219	94(1)	Failure to implement processes that provide for manner of selecting persons to be searched or screened	B
220	94(2)	Permitting person selected for search or screening to enter nuclear facility without required search or screening	B
221	95	Failure to conduct search or screening as required	B
222	96(1)	Failure to conduct a security exercise testing the required elements at the specified interval	B
223	96(2)	Failure to notify Commission in writing of intent to conduct security exercise within prescribed time	A
224	96(3)	Failure to create record containing required information each time security exercise is conducted	A
225	96(4)	Failure to create corrective action plan setting out required information	B
226	96(5)	Failure to implement corrective actions as required	B
227	96(6)	Failure to provide copy of record and any corrective action plan to Commission within prescribed time	A
228	101(1)	Failure to conduct security exercise as required at the specified interval	B
229	101(2)	Failure to keep record containing the required information each time a security exercise is conducted	B
230	101(3)	Failure to create corrective action plan setting out required information	B
231	101(4)	Failure to implement corrective actions as required	B
232	101(5)	Failure to provide a copy of record and any corrective action plan to Commission within prescribed period	A

Packaging and Transport of Nuclear Substances Regulations, 2015

105 Paragraph 6(1)(a) of the Packaging and Transport of Nuclear Substances Regulations, 2015 ^{footnote 4} is replaced by the following:

(a) the nuclear substance is a Category I nuclear material, Category II nuclear material or Category III nuclear material, as those terms are defined in section 1 of the Nuclear Security Regulations, and is transported outside the area in which it is required, under any of sections 19 to 21 of those Regulations, to be produced, processed, used or stored;

106 Paragraph 7(b) of the Regulations is replaced by the following:

(b) the information required by section 100 of the Nuclear Security Regulations if the substance is a Category I nuclear material, Category II nuclear material or Category III nuclear material, as those terms are defined in section 1 of those Regulations;

Transitional Provisions

Definition of former Regulations

107 (1) For the purposes of this section, former Regulations means the Nuclear Security Regulations as they read immediately before the day on which these Regulations come into force.

Words and expressions

(2) Unless the context otherwise requires, words and expressions used in this section have the same meaning as in section 1.

Nuclear facility

(3) The former Regulations and Part 9 of the schedule to Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission), as they read immediately before the day on which these Regulations come into force, continue to apply for two years after that day to a nuclear facility for which, on the day on which these Regulations come into force, a licence issued under the Act is in force.

Existing authorization or clearance

(4) If a person has been granted a clearance or issued an authorization under the former Regulations, that clearance or authorization remains valid until the expiry of the term for which it was granted or issued, and during that term the person may continue to access any area or information and carry out any duties and responsibilities that the clearance or authorization permitted them to access or carry out under the former Regulations.

Site access security clearance

(5) If a person has been granted a site access security clearance under the former Regulations that is valid on the day on which these Regulations come into force and that, to maintain the person’s access to the nuclear facility, must be replaced by a facility-access security clearance granted under section 85, the licensee that granted the clearance may, before the term of the clearance expires, extend the term of the clearance to any term not exceeding 10 years.

Repeal

108 The Nuclear Security Regulations ^{footnote 5} are repealed.

Coming into Force

Registration

109 These Regulations come into force on the day on which they are registered.

SCHEDULE

(Section 1)

Category I, II and III Nuclear Material
Item	Column 1 Nuclear Substance	Column 2 Form	Column 3 Quantity (Category I Nuclear Material)	Column 4 Quantity (Category II Nuclear Material)^{table b2 note 1}	Column 5 Quantity (Category III Nuclear Material)^{table b2 note 1} ^{table b2 note 5}
1	Plutonium^{table b2 note 2}	Unirradiated^{table b2 note 3}	2 kg or more	Less than 2 kg, but more than 500 g	500 g or less, but more than 15 g
2	Uranium 235	Unirradiated^{table b2 note 3} — uranium enriched to 20% ²³⁵U or more	5 kg or more	Less than 5 kg, but more than 1 kg	1 kg or less, but more than 15 g
3	Uranium 235	Unirradiated^{table b2 note 3} — uranium enriched to 10% ²³⁵U or more, but less than 20% ²³⁵U	N/A	10 kg or more	Less than 10 kg, but more than 1 kg
4	Uranium 235	Unirradiated^{table b2 note 3} — uranium enriched above natural, but less than 10% ²³⁵U	N/A	N/A	10 kg or more
5	Uranium 233	Unirradiated^{table b2 note 3}	2 kg or more	Less than 2 kg, but more than 500 g	500 g or less, but more than 15 g
6	Fuel consisting of depleted or natural uranium, thorium or low-enriched fuel (less than 10% fissile content)^{table b2 note 4}	Irradiated	N/A	More than 500 g of plutonium	500 g or less, but more than 15 g of plutonium
Table b2 note(s) Table b2 note 1 The quantities listed refer to the aggregate of each kind of nuclear substance located at a facility, excluding the following (which are considered separate quantities): (a) any quantity of the nuclear substance that is not within 1 000 m of another quantity of the nuclear substance; and (b) any quantity of the nuclear substance that is located in a locked building or a similarly resistant structure. Return to table b2 note 1 referrer Table b2 note 2 All plutonium except that with isotopic concentration exceeding 80% in plutonium 238. Return to table b2 note 2 referrer Table b2 note 3 Material not irradiated in a reactor or material irradiated in a reactor but with a radiation level equal to or less than 1 Gy/h at 1 m unshielded. Return to table b2 note 3 referrer Table b2 note 4 Other fuel that by virtue of its original fissile content is classified as Category I nuclear material or Category II nuclear material before irradiation may be reduced one category level while the radiation level from the fuel exceeds 1 Gy/h at 1 m unshielded if the Commission is provided with written confirmation of the radiation level. Return to table b2 note 4 referrer Table b2 note 5 Quantities less than the quantities set out in column 5 for Category III nuclear material and any quantities of natural uranium, depleted uranium or thorium should be protected at least in accordance with the requirements of paragraphs 12(1)(c), (g), (h) and (j) of the General Nuclear Safety and Control Regulations. Return to table b2 note 5 referrer

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Executive summary

Issues: Security threats, operational experience and technological advancements have evolved dramatically since the Nuclear Security Regulations (NSR) were implemented. Therefore, the NSR will be repealed and replaced in order for the Regulations to continue to meet their objectives. The NSR need to be modernized to align with current international recommendations, guidance and best practices and with current Government of Canada directives and policies to ensure that nuclear facilities in Canada continue to mitigate physical, cyber and insider threats in the modern and evolving threat and risk environment. Further, changing the NSR is necessary for the Canadian Nuclear Safety Commission (CNSC) to maintain a modern regulatory framework using science- and evidence-based, risk-informed and technically sound regulatory practices that consider scientific uncertainties and evolving expectations such as small modular reactor (SMR) deployment in Canada. This was reflected in the recommendations made in the SMR Roadmap and the SMR Action Plan to amend prescriptive requirements that pose a potential barrier to SMR development and deployment in Canada.

Description: The new Nuclear Security Regulations (the Regulations) will repeal and replace the NSR. The Regulations will implement a more performance-based approach to regulating nuclear security by enabling licensees and applicants to introduce new technologies, processes and procedures while meeting the same robust security objectives. They will also include new requirements for cyber security and the protection of sensitive information and update security clearance requirements to address new threats and risks. The Regulations will address and incorporate international peer-reviewed suggestions from International Atomic Energy Agency (IAEA) experts and will be aligned with international security recommendations, guidance and best practices. Further, the structure of the Regulations will be revised to improve their readability and clarity.

Rationale: The Regulations are a key regulatory instrument for the security of nuclear materials, nuclear facilities and nuclear substances in Canada. New security threats and risks, technologies and international recommendations, guidance and best practices must be accounted for in the CNSC’s nuclear security regulatory framework. In addition, the CNSC should move to performance-based regulations, where appropriate, in alignment with the Cabinet Directive on Regulation and the Policy on Regulatory Development, as well as the commitments made in the SMR Roadmap and SMR Action Plan.

The CNSC performed extensive public consultation for the Regulations. The CNSC posted several discussion papers for public consultation and held multiple information sessions with industry, members of the public and other federal and provincial government departments and organizations. The CNSC also hosted workshops with industry on the changes and to obtain information on monetized costs and benefits. The feedback received from all these sessions was used to inform the analysis and development of the Regulations. The regulatory development also determined that regulatory action was needed in the modern threat and risk environment. The significance of the changes and restructuring led the CNSC to determine that the repeal and replacement of the NSR will be the most appropriate action to take to achieve the CNSC’s policy objectives.

The Regulations will result in a present value cost of $141.3 million, with present value benefits of $221.5 million, yielding a net present value (benefit) of $80.2 million (all figures 2023 CAD). The largest monetized cost impact item was attributed to the updated requirements for vital area nuclear security measures, with a total present value cost of $76.6 million. Conversely, the largest monetized benefit primarily revolves around cost savings associated with a performance-based requirement that will allow regulated parties to determine their own security staffing ($196.8 million present value). The main benefit to Canadians from the NSR is in the form of the reduced health, safety and environmental threats and risks due to potential security incidents at nuclear facilities and/or involving nuclear substances. A detailed cost-benefit analysis (CBA) report is available upon request.

There will be no impacts on small businesses due to the Regulations.

The one-for-one rule applies, since there will be an incremental increase in administrative burden on business. The Regulations will introduce requirements that are considered to be incremental burden under the rule, and the proposal will repeal and replace an existing regulation with a new regulatory title, which results in no net increase or decrease in regulatory titles. The Regulations will result in an annualized administrative cost of $44,310.

The Regulations will improve alignment with international regulatory regimes and address findings from international reviews of Canada’s nuclear security regime.

Issues

The Nuclear Security Regulations (NSR) were substantially amended in 2006. Since then, security threats, operational experience and technological advancements have evolved dramatically. In addition, the NSR need to be modernized to align with current international recommendations, guidance and best practices. There are a number of issues and key drivers behind repealing and replacing the NSR.

The NSR are overly prescriptive

A number of provisions in the NSR require the same prescriptive level of security for all “high-security sites” (HSS). For example, the NSR establish specific requirements for security barriers. This prevents licensees and proponents from using new security technologies or innovative practices that meet or exceed the regulatory objective to delay or deter potential adversaries. In addition, this does not differentiate between large and small nuclear reactors and does not take into consideration a risk-informed approach to address potential security threats and risks or different technologies, sizes, locations and alternative approaches to preventing theft and sabotage.

Advancements and innovations in nuclear technology, as well as in technologies and methods for physical protection and cyber security, are expanding the range of measures and approaches through which licensees can design and operate their nuclear facilities to meet nuclear security regulatory requirements. Furthermore, these advancements and innovations offer opportunities for licensees and proponents to design nuclear facilities and/or implement concepts of operation that have the potential to effectively eliminate vulnerabilities licensees will otherwise have to consider in the design of the nuclear security systems of their respective facilities.

Evolving threat environment and cyber security threats

Potential threats to nuclear infrastructure have continued to evolve since the NSR were substantially amended last in 2006. One of the fastest-growing threats to critical infrastructure in Canada, including to nuclear facilities, are cyber attacks. Further, ransomware and other cybercrimes have become a persistent threat to organizations in Canada.^{footnote 6} The NSR do not include any provision for cyber security or for the protection of digital information. Another new threat is the use of unmanned aerial systems by potential adversaries, which present new security challenges for nuclear facilities, as they represent a new sophisticated and complex threat.^{footnote 7} The NSR do not contain provisions to address these new and evolving threats.

Additionally, there is concern globally that nuclear security overall has been stagnating or declining in recent years, and while nuclear security in Canada has remained strong, there are still identified areas of improvement, such as the use of unmanned aerial systems by potential adversaries, cyber security, insider threat protection and security culture.^{footnote 19}

International recommendations, guidance and best practices

In October 2015, the International Physical Protection Advisory Service (IPPAS), created by the International Atomic Energy Agency (IAEA), conducted a mission to review the nuclear security regime and regulatory framework in Canada. The mission was performed by a team of international security experts who compared Canada’s practices to IAEA nuclear security recommendations and guidance as well as other relevant international instruments. The mission report contained 3 recommendations^{footnote 8} and 30 suggestions^{footnote 9} to enhance the nuclear security regime in Canada. Certain findings focused on improving CNSC’s nuclear security regulatory framework and suggested better alignment with important international nuclear security fundamental principles and recommendations (e.g. nuclear security culture, interface between nuclear material accountancy and control [NMAC] and nuclear security, protection of sensitive information in physical and digital media, and two-person rule in the central alarm station). The NSR do not contain explicit requirements for security culture, interface of safety, security and safeguards or the protection of sensitive information.

Changes to Government of Canada security clearance standards

The NSR reference the (ARCHIVED) Personnel Security Standard, published by the Treasury Board of Canada Secretariat (TBS) in 1994, as the standard for examining the trustworthiness and reliability of individuals that necessitate access to sensitive information and assets. The Standard was superseded by the (ARCHIVED) Standard on Security Screening in 2014 and by the Directive on Security Screening in 2025. The consequence of not updating the new security standard in the NSR may pose an unreasonable risk to the protection of sensitive information and assets and to nuclear facilities and nuclear substances. For example, the NSR do not prescribe financial inquiries (credit checks) for individuals with unescorted access to vital areas. These individuals may pose a security risk because of financial pressure or their history of poor financial responsibility. While the status of an individual’s financial situation may not affect their ability to do a job, financial obligations or pressures could pose a security risk.

Use of private security guards at nuclear facilities

There is considerable variation in training and licensing requirements across the country and a lack of oversight for the use of private security personnel. Some jurisdictions have no legislation, policy or guidelines on the use of private security. The inconsistency in regulatory practices raises concerns about the use of private security services at nuclear facilities. Several issues have been mentioned in the Public Safety Canada 2015 Study (PDF), such as the potential for criminal activity, the infiltration of private security by organized crime groups, the exploitation of security officers through low wages, and corruption in security guard training schemes. The lack of interfaces with provincial private security regulations is an area for improvement in the security regulatory framework. The NSR do not contain any baseline requirements on the training and qualifications for private security guards or “in-house” security personnel at nuclear facilities.

New federal government activities with respect to small modular reactors (SMR)

Small modular reactor (SMR) technology is an emerging technology that is an important component of Canada’s net-zero initiatives led by the Minister of Natural Resources in 2021 and in (ARCHIVED) Budget 2022. Without new SMR builds, nuclear power generation could be severely limited in its contribution to decarbonization initiatives. Amendments to improve the efficiency and clarity of requirements in the NSR were identified as a priority in Pillar 2: Policy, legislation and Regulation of the SMR Roadmap. Amendments will enable the removal of regulatory barriers to the development and deployment of new reactor designs and technologies, as the NSR do not provide for the application of a graded approach based on risk-informed criteria.

Other issues

Certain definitions in the NSR, such as the definitions for weapons, explosive substances and firearms, are not aligned with the Criminal Code definitions. Other definitions, such as sabotage and security monitoring room, are not aligned with the IAEA Nuclear Safety and Security Glossary (PDF). In addition, the current layout of the NSR can make it challenging to determine which requirements apply to nuclear material and which apply to a specific facility. For example, requirements that apply to Category III nuclear material are found in both Part 1 and Part 2 of the NSR. Further, Schedule 2 of the NSR contains a list of specific organizations, some of which have changed names or do not exist anymore. Overall, the approach to Schedule 2 in the NSR is outdated and does not include any specific types of nuclear facilities, and as a result, it cannot be applied to new applicants or other nuclear facilities.

Background

The Nuclear Safety and Control Act (the NSCA or the Act) establishes the CNSC’s authority to set regulatory requirements for all nuclear-related activities in Canada. Under the Act, the CNSC regulates the use of nuclear energy and materials to protect the health, safety and security of Canadians and the environment; to implement Canada’s international commitments on the peaceful use of nuclear energy; and to disseminate objective, scientific, technical and regulatory information to the public. A key part of the CNSC’s mission is to regulate the security of nuclear material, nuclear substances, nuclear facilities, prescribed equipment and prescribed information.

The NSR apply to nuclear facilities that process, use or store Category I, II or III nuclear material, including nuclear power plants, as set out in Schedule 1 of the NSR. They also apply to facilities such as nuclear fuel fabrication facilities and nuclear substance processing facilities listed under Schedule 2 of the NSR, as well as proponents of new nuclear facilities. The NSR are divided into two parts. Part 1 sets security-related requirements and general obligations for licence applications submitted in accordance with the NSCA. It also includes information about security requirements for HSS, as defined in the NSR. Part 2 provides security-related requirements for the licensing and operation of nuclear fuel and processing facilities that are listed in Schedule 2 of the NSR.

The last major revision of the NSR was completed in 2006. These amendments incorporated the results of domestic and international analysis and recommendations that were driven by the significant change to the security context following the terrorist attacks on the United States on September 11, 2001.

The review of the NSR was associated with significant federal government activities with respect to the Canadian SMR Roadmap Steering Committee.^{footnote 10} This steering committee identified, in its report titled A Call to Action: A Canadian Roadmap for Small Modular Reactors, that “the current regulations would require SMRs to incorporate security infrastructure comparable to today’s operating full-scale nuclear power plants.” One of the priority recommendations from that report was for the CNSC to revise the NSR to remove prescriptive requirements and instead focus on ensuring that consistent security outcomes and performance objectives are met. The SMR Roadmap also recommended that the NSR provide for the application of a graded approach based on risk-informed criteria. The follow-up to the SMR Roadmap, titled SMR Action Plan, was released in December 2020. It further underlined the importance of removing prescriptive requirements from the NSR as highlighted in action CNSC01 “Nuclear Security” and CNSC02 “Regulatory Efficiency.” As part of the SMR Action Plan, the Minister of Natural Resources detailed in the Message from the Minister the importance of SMR technology to Canada’s plan to achieve a net-zero economy^{footnote 11} by 2050.

In Budget 2022 (PDF), the Government of Canada committed to supporting SMR development and deployment in Canada by providing $120.6 million over five years, starting in 2022–2023, and $0.5 million ongoing. This funding included

$50.7 million, and $0.5 million ongoing, for the CNSC to build capacity for the regulation of SMRs and to work with international partners on global regulatory harmonization; and
$69.9 million to Natural Resources Canada to undertake research for SMR waste management, to create a fuel supply chain, to strengthen international nuclear cooperation agreements, and to enhance domestic safety and security policies and practices.

The Regulations will support the Government of Canada’s commitments related to SMR development and deployment.

Objective

The policy goals for repealing and replacing the NSR include

ensuring continued security of nuclear facilities and prescribed information to protect the health and safety of Canadians and the environment;
mitigating new threats and risks to nuclear facilities, nuclear materials and nuclear substances in Canada;
removing barriers to the development and deployment of new reactor designs and technologies as per the CNSC’s commitments in the SMR Action Plan and SMR Roadmap;
aligning with the Cabinet Directive on Regulation and the Policy on Regulatory Development by implementing performance-based regulations where appropriate;
aligning with international conventions and IAEA recommendations, guidance and best practices, as well as ensuring that Canada continues to fulfill its international obligations for the security of nuclear and radioactive material; and
improving the clarity and readability of requirements.

Description

The key elements of the Regulations are summarized below.

Moving towards a more performance-based approach

The Regulations will include performance-based requirements where practical. The performance-based requirements will include, but are not limited to, the application of traditional barriers/physical protection systems, the use of on-site and/or off-site armed response forces, the defence against design basis threat (DBT)^{footnote 12} sabotage events and the use of alternative measures such as engineered systems and novel concepts of operation, safety and security-by-design (SeBD) systems, or any combination thereof. The Regulations will establish the performance-based requirements and objectives, and these performance objectives will be applied to licensees and other affected stakeholders using a risk-informed approach, commensurate with the risk and complexity of the licensed activity. Implementing a more performance-based approach to regulating nuclear security will enable applicants and licensees to introduce new technologies, processes and procedures while meeting the same robust security objectives. The CNSC considers the level of risk of a facility or activity using the best available data and science in all regulatory activities, whether novel or conventional. This approach considers the level of risk to health, safety, security and the environment as the basis by which to establish regulatory requirements.

Inclusion of new requirements for threat and risk assessment

The Regulations will require nuclear facilities to

conduct threat and risk assessments (TRAs) at least every five years;
include both physical and cyber threats in TRAs; and
maintain and review TRAs on a regular basis (every 12 months) when the threats change or after a nuclear security incident and to update the TRA when needed.

Inclusion of new requirements for cyber security and for the protection of sensitive information

The Regulations will require that nuclear facilities address the cyber security risks identified in their TRA as part of their cyber security program and protect relevant computer-based systems and components from those threats and risks.

In addition, the Regulations will require applicants and licensees to identify sensitive information in physical and/or digital form and to ensure the sensitive information is protected against the threats identified in the licensee’s TRA, throughout the lifecycle of the information. This new requirement will apply to computer-based systems and components used for processing, storing and transmitting sensitive information.

Better alignment with international recommendations, guidance and best practices

The Regulations will include new requirements to

enhance nuclear security culture by requiring licensees to develop, implement and promote nuclear security culture measures and practices at their respective facilities;
implement provisions for effective interfaces between nuclear safety, security and safeguards at nuclear facilities. It will require licensees to assess and manage the interface with safety, security and safeguard activities in such a way as to ensure that they do not adversely affect each other and that, to the degree possible, they are mutually supportive;
conduct regular security exercises, at a minimum every five years, including during transportation applications;
include requirements for compensatory measures for nuclear security measures/systems;
enhance and clarify the nuclear security measures for vital areas;
implement a radiological consequence-based approach to the identification of vital areas and for the implementation of vital area nuclear security measures;
implement monitoring and storage requirements for nuclear substances at non-HSS to prevent the unauthorized removal of nuclear substances and defend against insider threats;
implement a two-person rule or equivalent measures to mitigate potential insider threats in the central alarm station at HSS; and
strengthen requirements for backup alarm stations at HSS.

Update for new security clearance screening standard

The Regulations will update the security screening standard for facility access clearance to include new requirements similar to those in the TBS Directive on Security Screening for site access status, site access clearance and enhanced security screening. In particular, credit checks will be required for individuals with enhanced site access clearance. In addition, the site access status and site access clearance validity will expand from 5 to 10 years to align with the Directive on Security Screening.

Use of private security services at nuclear facilities

Under the Regulations, licensees will be required to ensure that security guards (non-nuclear security officers) are equipped, qualified and trained to perform their assigned duties. Licensees will also be required to develop and maintain procedures and instructions for these security guards.

Introduce and revise definitions and terminology

The Regulations will update and clarify certain definitions. For example:

The term “Security Monitoring Room” will be replaced with “Central Alarm Station” to avoid confusion with small modular reactors.
The definitions of “Design Basis Threat,” “direct visual surveillance,” “effective intervention,” “off-site response force,” “protected area,” “vital area” and “sabotage” will be revised to support the transition to performance-based requirements and also to introduce the concept of radiological consequences and connect those definitions to measurable dose limits.
The definitions of “explosive substance,” “firearm” and “weapon” will refer to the existing definitions in the Criminal Code.
The term “physical protection measures” will be replaced by “nuclear security measures” to include both cyber and physical security measures.
There will be new definitions of “limited access area,” “physical barrier,” “sensitive information,” “critical security measure” and “security exercise.”

Simplified layout

The layout of the Regulations will be revised to enhance clarity and to reduce any repetition. The improvements that will be implemented include the following:

Schedule 2 of the NSR will be removed entirely. The Regulations will not name specific licensees or facilities to which the Regulations apply.
The Regulations will identify the nuclear facilities subject to the Regulations via the definition of “nuclear facility” pursuant to the NSCA.
The Regulations will organize the requirements under a new structure, which will segment the Regulations into five parts (instead of two) to assist applicants and licensees in locating the applicable requirements for their licensed activity.
- Part 1: General Provisions, which will apply to all licensees subject to the NSR except for transportation
- Part 2: High-Security Sites
- Part 3: Other Nuclear Facilities
- Part 4: Licence to Transport
- Part 5: Consequential Amendments, Transitional Provisions, Repeal and Coming into Force

Consequential amendments

Consequential amendments will be made to the Class I Nuclear Facilities Regulations, Nuclear Substances and Radiation Devices Regulations and the Packaging and Transport of Nuclear Substances Regulations, 2015. This will ensure references to the Regulations will be accurate.

Administrative monetary penalties

The Regulations will also make amendments to Part 9 — Nuclear Security Regulations — of the schedule to the Administrative Monetary Penalty Regulations (Canadian Nuclear Safety Commission). This section has been updated to reflect the new structure of the Regulations and the new wording of the Regulations. The category of violations that will be established for the corresponding administrative monetary penalties (AMPs) is based on the existing category of violations for individuals and for persons other than an individual. The Administrative Monetary Penalty Regulations (Canadian Nuclear Safety Commission) will include the following new penalties:

22 new AMPs for individuals and persons, including all nuclear facilities, related to security culture, interfaces of safety, security and safeguards, compensatory measures, critical security measures, cyber security, the protection of sensitive information and the security of nuclear substances;
26 new AMPs for individuals and persons, including non-HSS, related to threat and risk assessments, security guards, prohibitions against weapons, explosives, threat items and the unauthorized removal of nuclear substances, searches and screening provisions, and for security exercises;
14 new AMPs for individuals and persons specific to HSS regarding storage of nuclear substances, corrective action plans for security exercises, central alarm stations and backup alarm stations; and
5 new AMPs for transportation activities related to transportation security exercises.

The Regulations will adopt existing NSR AMPs and also improve the clarity and precision of the CNSC’s AMP framework, where each clause/provision will have its own corresponding AMP.

Information on the development, determination and impacts of the CNSC’s AMPs may be found in the CNSC’s discussion paper (ARCHIVED) DIS-12-05, Administrative Monetary Penalties, as well as in the impact analysis of the CNSC AMP Regulations. The CNSC also provides information on the use of AMPs as a compliance and enforcement tool in the regulatory document entitled REGDOC-3.5.2, Compliance and Enforcement: Administrative Monetary Penalties, Version 2.

Incorporation by reference

The Cabinet Directive on Regulation and the Policy on Regulatory Development encourage federal regulators to consider incorporation by reference as a tool to achieve regulatory outcomes. There are two documents that will be incorporated by reference in the Regulations: the Directive on Security Screening from the Treasury Board of Canada Secretariat and the Dangerous Quantities of Radioactive Material (D-Values) from the IAEA. Both of these documents are available online free of charge in both official languages and are well known and well understood by the CNSC and the regulated community.

The CNSC has reviewed these documents and determined they will meet the policy objectives of the Regulations. The CNSC will continue to monitor these documents to ensure the CNSC is aware of any revisions or changes to the documents. Should there be new/revised versions of the documents published, the CNSC will review them to ensure they continue to meet the policy objectives and will inform affected stakeholders of the publication of the new documents. Overall, the incorporated documents are updated infrequently; therefore, reviewing, assessing and communicating information to stakeholders will not pose a risk for licensees to comply with the Regulations.

Directive on Security Screening

The Regulations will incorporate the TBS Directive on Security Screening, as amended from time to time. The NSR referenced an earlier TBS standard, but that standard was superseded by the Directive on Security Screening. Site access clearances and enhanced site access clearances will be granted to personnel working at the nuclear facilities based on the criteria in this standard. The incorporation of this standard by reference will ensure that security clearances at nuclear facilities are issued based on the most up-to-date security screening standards. For more information, please refer to the “Changes to Government of Canada security clearance standards” subsection under the “Issues” section.

IAEA Dangerous Quantities of Radioactive Material (D-Values)

The NSR will incorporate by reference IAEA Dangerous Quantities of Radioactive Material (D-Values) as amended from time to time. Specifically, the CNSC will incorporate the data table containing the name of the radionuclide and the associated D-value (a numeric value). Incorporating this document by reference will align the Regulations with the most recent international scientific data on the health and safety risks of radionuclides. The incorporation of this document will address stakeholder concerns regarding security obligations for nuclear substances (other than nuclear material), as the D-values will provide the scientific criteria to determine what quantities and isotopes of nuclear substances will be subject to those requirements in the Regulations. The use of D-values was suggested by industry stakeholders during consultation. Refer to the section of the Regulatory Impact Analysis Statement (RIAS) regarding “Storage and Security of Nuclear Substances” for further discussion on those requirements.

Regulatory development

Consultation

Since 2016, the CNSC has undertaken significant and continuous consultation with stakeholders. Consultation workshops were held in 2016 and 2017 with nuclear industry stakeholders to obtain early input on potential improvements to the NSR based on new security technologies, new and evolving threats, new SMR possibilities and the industry’s operating experience with the NSR. In 2019, the CNSC co-hosted a workshop alongside the World Institute of Nuclear Security (WINS) for HSS representatives to explore modernization options for the security requirements for preventing potential sabotage events. Concurrently, the CNSC has been working with international counterparts to understand the evolving global security context and challenges. Moreover, informed by comments and input, the CNSC has been developing amendments, comparing options and making evidence-based decisions about the Regulations. In 2021, the CNSC embarked on broader consultation with all stakeholders regarding the Regulations. A detailed breakdown of the CNSC’s consultation for the Regulations is discussed below.

Early consultations (2016–2020)

The CNSC held three consultation workshops, in 2016 and 2017, with industry stakeholders to obtain preliminary input on potential amendments to the NSR. The industry stakeholders who attended the workshops were those directly responsible for implementing security measures at nuclear facilities or responsible for the security of nuclear material. The workshops included three different participant groups:

Licensees listed in Schedule 2 of the NSR; other licensees who possess, use, store and transport Category III nuclear material not covered in Schedule 2 of the NSR; and licensees who operate research-type reactor facilities (e.g. SLOWPOKE operators);
Licensees who operate HSS (e.g. nuclear power plants) and possess, use or transport Category I and II nuclear material; and
Vendors, designers and licensees interested in the construction and deployment of SMRs.

In December 2017, the CNSC released a stakeholder workshop report, which summarized the feedback received from the workshop participants. The CNSC also received feedback on the NSR through two discussion papers: in 2014, DIS-14-02, Modernizing the CNSC’s Regulations and in 2016, DIS-16-04, Small Modular Reactors: Regulatory Strategy, Approaches and Challenges. DIS-14-02 was posted on the CNSC website on November 17, 2014, for an initial 120-day consultation period, which was then extended to May 29, 2015, at the request of stakeholders. Following the consultation period, the comments received were posted for additional feedback from June to July 2015. DIS-16-04 was posted on the CNSC website for 120 days from May to September 2016, and the comments received were posted for additional feedback from November to December 2016. While comments received on DIS-14-02 were broad in nature and not specific to the NSR, they were noted and carried forward to the review of the NSR. Such comments raised issues of regulatory overlap, inconsistencies with international guidance, and using regulatory documents to set new requirements. However, comments on DIS-16-04 focused on the CNSC regulatory framework and how it could be clarified in some areas to enable a better understanding of how the CNSC’s licence application requirements might be applied to SMRs. A summary of the comments received from stakeholders, as well as the CNSC’s responses to those comments, was published in What We Heard Report – DIS-14-02 and in What We Heard Report – DIS-16-04, respectively.

2021 Consultation

In 2021, the CNSC issued two more discussion papers related to modernizing the nuclear security regulatory framework: DIS-21-02, Proposals to Amend the Nuclear Security Regulations and DIS-21-03, Cyber Security and the Protection of Digital Information. DIS-21-02, published for 90 days on the e-consultation platform Let’s Talk Nuclear Safety^{footnote 13} from April to July 2021, described the CNSC’s regulatory changes to areas of the NSR, such as physical protection (prevention of theft and sabotage), cyber security and the protection of nuclear security information, as well as security culture and the impact on NMAC. DIS-21-03, published for 90 days on Let’s Talk Nuclear Safety from July to October 2021, added more details on the revisions for regulating cyber security and the protection of digital information. From these two discussion papers, a total of 242 comments were received.

The CNSC hosted two information sessions with environmental non-governmental organizations (ENGOs) and members of the public on April 13, 2021, to inform participants about the regulatory amendment project, the past consultation and research that informed the CNSC’s proposals, as well as how to comment on the discussion papers and participate in stakeholder workshops following these information sessions. From April to September 2021, the CNSC held a series of consultation sessions with over 150 participants from the public, ENGOs, industry, Government of Canada departments and agencies, and representatives from various provincial governments. These sessions included a walkthrough of the regulatory amendment process, highlighted specific amendments to the NSR and presented the rationale behind the changes. Overall, in 2021, the CNSC received comments from 37 unique stakeholders, totalling over 500 comments. The CNSC summarized all stakeholder comments and the CNSC’s path forward on the NSR in the What We Heard Report: DIS-21-02 and DIS-21-03. Stakeholders supported most of the proposed amendments to the NSR that were discussed before the Canada Gazette, Part I (CG I), prepublication. Their principal concerns touched on the proposals for performance-based regulations, including those for protection against theft and sabotage, new cyber security and protection of sensitive information provisions, and the cost of performing security screenings. Additional details on these concerns are presented below.

Performance-based regulations

During the preconsultations, there was strong support from industry stakeholders for performance-based requirements with clear objectives, as well as for requirements that allow for alternative approaches to protect against theft and sabotage. However, industry stakeholders requested clarity on what the CNSC will consider sufficient in meeting nuclear safety objectives. Certain industry stakeholders emphasized that considerations ought to be different between large nuclear power plants and small nuclear facilities, where the latter have smaller inventories of nuclear materials. The public and ENGOs cautioned that the NSR must ensure that current levels of security are maintained or strengthened and that the application of nuclear security should be at the same level, regardless of the geographic location or technology used in that facility (e.g. urban versus remote locations).

In consideration of the concerns above, it should be noted that compliance with any performance-based requirement will be assessed by the CNSC. Applicants and licensees will be required to demonstrate that they have achieved the objectives or outcomes as set out in the Regulations. The Regulations will continue to support Canada’s robust nuclear security regime while affording licensees and applicants greater flexibility in demonstrating how they can meet nuclear security regulatory requirements. The CNSC will provide further guidance on how to meet performance-based requirements in the CNSC’s regulatory guidance documents^{footnote 14} (REGDOCs). In addition, the CNSC meets with licensees periodically to provide guidance.

Cyber security threats and cyber security in TRAs

Cyber security requirements are currently found in the licence^{footnote 15} of each HSS. The CNSC requires HSS to follow the Canadian Standards Association (CSA) standard N290.7, Cyber security for nuclear facilities^{footnote 16} and cites this standard as guidance for other nuclear facilities. Representatives from research reactors, SMRs and other nuclear substance processing facilities expressed the need for a risk-informed approach to requirements for cyber security. Although the research reactor licensees supported the risk-informed approach to cyber security, they also raised concerns regarding the use of the risk-informed approach, as they thought it was unclear how CSA N290.7 could be applied to lower-risk licensed activities.

Representatives from HSS voiced concerns over costs to implement the new 2021 version of the CSA N290.7 standard. However, it should be noted that these costs will be borne by the licensee regardless of the requirements in the Regulations, as the previous version of that standard is already a requirement for HSS through the licence conditions for those facilities.

Stakeholders from all groups — though most strongly from the SMR vendors and designers, the research reactors and fuel cycle licensees — questioned the need to submit revisions to the TRAs on an annual basis. The CNSC then clarified that the proposal will require that the TRAs be reviewed by the licensee every year but revised only if there is a change. There was general agreement among industry stakeholders to include cyber threats in the TRAs and to have requirements to protect against cyber threats, as some HSS were already doing this. Licensees from all groups and SMR vendors and designers, however, expressed a need for more guidance on how to assess cyber threats and how to integrate them into the TRAs.

Industry stakeholders recommended the use of a risk-informed approach to determine the systems that ensure or impact safety, security, emergency preparedness and safeguards that will be included in the licensee’s TRA. Industry stakeholders noted that the program elements set out in the CSA N290.7 standard are suitable in general, and certain industry stakeholders sought the use of the risk-informed approach, which will allow licensees of facilities with Category III nuclear material the flexibility to propose alternative methods, approaches and security measures. However, industry stakeholders also requested that the CNSC provide further guidance as to how the CSA N290.7 standard could be applied to these facilities.

The CNSC intends to provide guidance regarding TRAs and the application of the risk-informed approach for cyber security considerations in its REGDOCs.

Protection of sensitive information

Most licensees agreed with the CNSC’s lifecycle approach for the protection of sensitive information, though some expressed concerns about the increase in scope of information to be protected and found the definition of sensitive information to be overly broad. Most licensees already use risk-informed information classification schemes and generally agreed that classifying and marking information is necessary to adequately handle and protect information. However, some expressed concerns that the classification scheme^{footnote 17} will be difficult to align with their existing classification schemes and could potentially lead to over-classifying information and that implementing multiple sensitivity levels will be overly burdensome in achieving the regulatory objective.

The CNSC will clarify requirements and develop guidance on how to identify and protect sensitive information in its REGDOCs.

Security clearance screening standard

Industry stakeholders expressed concerns with expanding the need to conduct financial and security checks for all employees, as opposed to applying the standard based on the level of responsibility for individual roles. There were also concerns about the accessibility of technology used to conduct fingerprinting, as some have faced challenges with collecting employees’ fingerprints.

The CNSC recognizes that employers have experienced issues with fingerprinting due to COVID-19 restrictions and the lack of technology availability. As a result, the CNSC has changed the proposal to not require fingerprinting as part of the law enforcement inquiry (criminal record name check). Based on the feedback received during consultations, the proposal related to credit checks was also changed so that they will be mandatory only for individuals with an enhanced security site access clearance, based on a risk-informed approach.

Canada Gazette, Part I, prepublication

The Regulations were prepublished in the Canada Gazette, Part I, on November 12, 2022, followed by a 60-day comment period.

Overall, 16 submissions were received, totalling 107 unique comments, with 103 submitted by industry stakeholders and 4 comments from members of the public. The comments primarily focused on the impact of the Regulations on existing facilities, with a smaller focus on the impacts of the Regulations on potential future SMR development and deployment.

Concurrently with the CG I prepublication, a discussion paper entitled DIS-22-02, Proposals to Amend the REGDOC 2.12 Nuclear Security Series was posted on the CNSC’s e-consultation platform for public consultation. This discussion paper provided an opportunity to consult with stakeholders on the clarifications and guidance that will be included in the revised REGDOCs.

The main themes of stakeholder interest and concerns during the CG I consultation period included the following:

requests for clarification on the scope and the requirements for critical security measures;
the scope of requirements for cyber security and sensitive information;
concerns about the prescriptiveness and operational impacts of requirements for the storage and security of nuclear substances;
concerns about the prescriptiveness and operational impacts of the requirements for the protected area nuclear security measures;
requests for clarification on the requirements for searches, access control and authorizations for entry into certain areas of an HSS (vital areas and inner areas);
updates and access to the DBT;
the need for metrics for radiological consequences in support of vital area identification;
concerns about the prescriptiveness and operational impacts of the vital area nuclear security measures;
requests for clarification on the requirements for secondary alarm stations;
requests for clarification on the strengthening of transportation security provisions; and
questions and concerns about the timelines for entry into force of new requirements.

To clarify comments and further discuss concerns from industry stakeholders, CNSC staff held a workshop with industry stakeholders from March 22 to March 24, 2023, in Ottawa, Ontario. A Stakeholder Workshop Report summarizing the discussions and path forward was drafted and published on the CNSC’s e-consultation platform. A follow-up workshop with industry stakeholders to discuss revised policy proposals due to the feedback received was held on December 13, 2023. A discussion on the main themes of stakeholder interest and concern, as well as the amendments made to the Regulations between prepublishing in CG I and publishing in CG II, are presented below. A table summarizing the main changes is provided at the end of this section.

Critical security measures

Industry stakeholders had voiced concerns over the provisions requiring compensatory measures and uninterrupted power supplies for all security measures at nuclear facilities. Industry stakeholders stated that the potential scope of systems and components subject to these requirements was too broad and that it would be impractical and unnecessary to implement compensatory measures and uninterrupted power supplies for every security measure at their facilities. In addition, industry stakeholders stated that applying these provisions to degraded cyber security measures would be extremely burdensome and would not benefit the safety and security of nuclear facilities.

To address industry stakeholder concerns, the CNSC added a definition of “critical security measure” to the Regulations. With this definition, it is clear which security measures are considered critical and must meet the requirements for compensatory measures and uninterrupted power supplies. Applicants and licensees will be required to identify the critical security measures in the TRA and then put in place appropriate compensation measures in the event that a system/component loses power or otherwise becomes inoperable. This amendment and new definition were shared with the regulated industry during the December 2023 workshop, and the industry was overall supportive of the proposed change.

Cyber security and protection of sensitive information

Industry stakeholders expressed concerns about the proposal to prescribe that all nuclear facilities ensure all functions related to safety, security, emergency preparedness and response and safeguards provide protection against cyber security threats. Industry stakeholders raised the concern that compliance with that requirement would not be relevant, applicable or practical to consider for all facilities. For example, certain facilities subject to the Regulations, but with lower-risk profiles, do not carry out emergency preparedness or safeguard functions and, as a result, there would be no practical way (or added benefit) of protecting those functions from cyber security threats.

To address stakeholder comments, the CNSC has removed those specific functions from the Regulations and revised the requirements such that the Regulations will require licensees to protect the computer systems and electronic components of the nuclear facility against cyber security threats, as identified in the TRA. As a result, the revised requirement focuses on the outcomes for cyber security programs. The previous list of functions will be included in the revised REGDOCs, which will provide additional guidance on cyber security provisions to protect those functions at relevant facilities as part of a licensee’s overall cyber security program. Industry stakeholders were consulted about this change and voiced their support.

Regarding the requirements for the protection of sensitive information, the main point of concern for industry stakeholders was ensuring the protection of all information that could potentially meet the definition of sensitive information. In the absence of context, they found this unclear and overly broad, and suggested that this could result in unnecessary costs to protect a large amount and variety of information. After evaluating industry stakeholder feedback, the CNSC has revised the requirements such that the Regulations will require the licensee to use the TRA for that facility to determine what constitutes sensitive information within the context of that facility and associated activities. Subsequently, all sensitive information will be required to be protected from the threats and risks identified in the TRA. This will reduce the broad scope of information, as it will scope the definition of sensitive information by tying it to the TRA. Guidance on identifying, classifying and protecting sensitive information will be provided in the revised REGDOCs and can also be found in international standards and guidance documents.

Storage and security of nuclear substances

Industry stakeholders raised concerns that the proposed requirements for the storage of nuclear substances were too prescriptive and would have significant cost and operational impacts. Industry stakeholders were also concerned that the requirements to use equipment to detect unauthorized removal of nuclear substances would not be effective in detecting certain substances and preventing removal. In addition, concerns were raised that proposed requirements for direct surveillance would be cost prohibitive.

Industry stakeholders suggested that administrative or process controls would be more effective to store and prevent the unauthorized removal of nuclear substances. Industry stakeholders further expressed that the NSR should be more flexible to allow licensees to propose their own approaches to securely store nuclear substances based on the risk profile of their specific inventories. Industry stakeholders also expressed that there was a need for quantitative criteria to determine the type and quantity of nuclear substances that would be subject to these requirements.

To address stakeholder feedback regarding the storage and unauthorized removal of nuclear substances, the CNSC revised this provision to give more flexibility to the licensee regarding how to achieve the desired outcomes with respect to detecting, delaying and responding. The provisions were revised, and the Regulations will require licensees to implement nuclear security measures that will detect unauthorized access to nuclear substances in storage and provide sufficient delay to respond and prevent the unauthorized removal of those nuclear substances. This approach aligns with international best practices using factors of detection, delay and response for the security of nuclear facilities.

To address concerns around the requirement for direct surveillance of nuclear substances, the CNSC has adopted industry stakeholders’ suggestion to use the D-values^{footnote 18} (the dangerous quantities of radioactive material) published by the IAEA as a way of determining the type and quantity of nuclear substances that must be protected. The Regulations will use D-values to identify the nuclear substances and their respective quantities that will be subject to these requirements for storage and direct surveillance. The CNSC determined that incorporation by reference of the data values/data tables of this IAEA document will be an effective means of identifying the quantities of nuclear substances subject to these requirements in the Regulations. As a result, this use of incorporation by reference addresses the CG I comments from stakeholders in this regard. Further information on the use of incorporation by reference in the Regulations is provided in the “Incorporation by reference” section of this RIAS.

Protected area nuclear security measures

Industry stakeholders raised concerns that the requirements for two barriers (one external barrier and one internal barrier) surrounding the protected area of an HSS were too prescriptive and implementation would have significant operational and cost impacts on several HSS. In addition, industry stakeholders suggested that the requirements for two barriers surrounding the protected area would impact and complicate potential expansions to existing facilities due to the space that the additional barrier would require. Industry stakeholders recommended making these requirements performance-based, which would allow applicants and licensees to assess how many barriers and nuclear security measures are needed for each facility based on the threats and risks relevant to each facility.

The CNSC decided not to prescribe the use of internal and external barriers for protected areas. The Regulations were updated after their publication in CG I to require one barrier and at least two additional nuclear security measures for the protected area. The barrier and nuclear security measures must be able to detect intrusions (or attempted intrusions) and any tampering of the security measures, trigger a continuous alarm, facilitate immediate assessment of the alarm, and provide sufficient delay time against unauthorized access to the protected area. This delay time is to allow for an appropriate response from on-site and/or off-site personnel, as necessary. This provision focuses on, and aligns with, international best practices on the main factors of detection, delay and response for the security of nuclear facilities. The revised REGDOCs will provide additional guidance on appropriate protected area security measures as well as delay time/intruder path analysis calculations to facilitate the delay and response times for each facility.

Searches, access control and authorizations

Industry stakeholders requested clarification on several provisions related to the following:

The requirements for searches for Category I, II and III nuclear materials (and related requirements for signage regarding searches) at non-HSS that did not have nuclear materials at the site. Certain non-HSS licensees stated that it was not feasible or practical to perform searches for material that is not present at their facilities and installing signs associated with those searches served no purpose.
The requirement for two pieces of identification for visitors (including delivery drivers), as it would impact operations at nuclear facilities (especially at non-HSS).
The requirement for licensee staff to have “written authorizations” to enter a protected, vital or inner area or to act as a central alarm station operator, nuclear security officer or nuclear security support person.

The CNSC has revised these provisions in the Regulations to provide clear expectations and requirements for nuclear facilities. The overall revisions include clarifying the requirements for signage and searches of nuclear material and nuclear substances at HSS and non-HSS so that the inventory of nuclear material/substances at those facilities is taken into consideration. Further, the CNSC revised the requirements for people with escorted access (i.e. visitors) to require one piece of identification to better accommodate visitors and delivery drivers. Industry stakeholders expressed support for these changes at a December 2023 workshop with the CNSC.

In addition, the CNSC will clarify in the supporting REGDOCs that the term “written authorization” would include authorizations issued electronically. Therefore, there would not be a burdensome requirement to write out the authorizations for each individual.

Design basis threat

The CNSC did not propose any changes to the requirements regarding DBT in the Regulations. However, the CNSC received several comments on DBT provisions from industry stakeholders, who voiced two main concerns:

The threats in the existing DBT do not align with the new/amended requirements in the Regulations.
The DBT should be provided to new licence applicants and reactor vendors in order to provide proponents with important security-related information such that they could develop their nuclear security measures/programs to defeat/mitigate the DBT earlier in the facility design process. Under the existing requirements, the DBT is provided only to HSS licensees.

While these comments did not result in any changes to the Regulations, they are being considered as part of the process to review and update the DBT, which is a separate and independent process, as the DBT is not a statutory instrument. The CNSC will consult with impacted licensees on the revised DBT as needed in this process and will inform HSS licensees of the revised DBT once completed, as required in the Regulations.

Vital area identification (radiological consequences)

Industry stakeholders expressed concerns that the definition of a “vital area” was unclear, particularly given the use of the term “unreasonable risk.” Industry stated that the lack of clarity in the definition would impact their ability to identify vital areas, as required in the Regulations, as they do not have a means to know what radiation dose or radiation release limits would constitute an “unreasonable risk.” Industry stakeholders suggested revising the definition of “vital area” to use the concept of radiological consequences instead of “unreasonable risk.”

Industry stakeholders suggested that the use of radiological consequences, defined in terms of quantitative radiation dose limits, would establish clear, measurable metrics for determining what constitutes a vital area of an HSS. As a result, any area in the nuclear facility with the potential to result in a dose over the limit/threshold would be considered a vital area. This approach would be consistent with IAEA recommendations and practices and with the policies of other nuclear regulators internationally.

In addition, industry stakeholders detailed that utilizing “radiological consequences” would ensure risk factors were considered when establishing thresholds and SeBD measures in the overall facility design for new facilities.

To address stakeholder concerns and clarify the requirements for vital area identification, the CNSC has revised the definitions of “sabotage,” “effective intervention” and “vital area” to introduce the concept of radiological consequences and connect those definitions to measurable dose limits. In turn, this will allow nuclear facility designers and operators to use these thresholds as acceptable metrics for identifying vital areas (and the requisite nuclear security measures) and protecting nuclear facilities and members of the public from radiological releases. The radiological consequence thresholds, the methodologies for determining radiological consequences at a nuclear facility, and the methodologies for identifying vital areas will be included in the revised REGDOCs. Similar information is also available in IAEA documentation.

Vital area nuclear security measures

Industry stakeholders expressed concerns about the requirements for means of entry/access control for the vital area and the requirements for intrusion/tampering detection for vital areas. Stakeholders suggested that these requirements would necessitate additional detection and assessment equipment/systems but would not provide a significant increase in the level of safety and security at the facility. Further, industry stakeholders stated that these requirements were highly prescriptive and, overall, would have significant operational and cost impacts on existing facilities and potential new SMR builds.

The CNSC considered the industry comments from CG I and concerns raised at a workshop in March 2023. Based on the feedback, the CNSC concluded that these requirements, as written, were prescriptive and would have unintended consequences for HSS. The CNSC determined that these provisions should be outcome-based focusing on the desired outcome for nuclear facilities to implement and maintain an additional layer of security for vital areas (in addition to the protected area nuclear security measures), which is aligned with the international (IAEA) best practices for vital area protection.

Responding to industry stakeholder concerns, the CNSC has amended the Regulations to require that licensees put measures in place that will deter, detect, delay and respond to theft and sabotage events in alignment with IAEA practices. The requirements state that licensees must adopt provisions for access control, detection of unauthorized access, delay of adversary entry, activation of alarms in the central alarm station in the event of unauthorized access, and detection/assessment of instances of tampering of nuclear security measures. This revised approach will provide an outcome-based, technology-neutral approach to vital area security. HSS licenses will not be required to implement specific security measures; instead, they will need to develop their own means to achieve the outcomes/functions required by the Regulations.

Secondary alarm stations

Industry stakeholders voiced strong concerns about the proposed requirement for a secondary alarm station (SAS). Industry stakeholders stated the construction of a separate SAS was not practical at certain facilities due to space considerations or decommissioning plans. Industry stakeholders also raised concerns about the cost burden this requirement would place on potential new SMR facilities.

To address stakeholder concerns, the requirements for SAS were revised to clearly state that licensees are required to have a form of backup station/measure/function independent of the central alarm station and that the backup/contingency measures must be performance tested. In addition, the term “secondary alarm station” was changed to “backup alarm station” to align with IAEA terminology.

Transportation security provisions

Members of the public provided comments related to the transportation security provisions of the Regulations. The commenters voiced their concern that it was not clear if the proposed requirements could ensure adequate detection and delay of and response to threats to Category I, II and III nuclear materials in transit. In addition, commenters inquired about how the CNSC would perform compliance verification and enforcement activities of the transportation security provisions.

To address stakeholder feedback, the CNSC revised the transportation security provisions to require that transportation security plans include a description of the conveyance and escort arrangement (risk-informed based on the category of nuclear material). The CNSC will verify compliance with the transportation provisions of the Regulations via reviews of documentation submitted by applicants and licensees (such as an application for a licence to transport), inspections of transportation activities and monitoring of transportation security exercises. The CNSC has also included, later in this RIAS, additional information on the implementation, compliance and enforcement strategies for the Regulations.

Further guidance on transportation security provisions and transportation security exercises will be provided in the revised REGDOCs.

Non-HSS facilities do not have Category I or II nuclear materials, and most non-HSS do not have Category III nuclear materials and, therefore, will not be impacted by this provision.

Coming-into-force provisions

Industry stakeholders representing HSS licensees raised concerns about the one-year transition period for those facilities to comply with the Regulations, as detailed in the transitional provisions. Industry stakeholders suggested that one year would not be sufficient time to perform the modifications to certain nuclear security measures (such as for vital areas, backup alarm stations and storage/surveillance of nuclear substances) necessary to comply with the requirements in the Regulations. To address this, the transitional provisions have been amended: the Regulations will include a two-year transitional period for both HSS and non-HSS facilities. Licensees were consulted on the revised transitional provisions during the December 2023 workshop and were supportive of the additional time that will be provided to come into compliance with the Regulations.

Summary of changes from CG I to CG II

The table below summarizes the main changes to the Regulations from the CG I prepublication to the CG II publication.

Item no.	Theme	Summary of major revisions
1	Critical security measures	Introduced a definition of "critical security measures" to provide the scope of the measures subject to requirements for compensatory measures and for the uninterrupted power supply.
2	Cyber security and the protection of sensitive information	Removed specific lists of functions that were subject to cyber security measures and revised the requirements to focus on the outcome of defending against cyber threats identified in the TRA. Clarified the scope of information subject to the provisions for the protection of sensitive information, by linking it to the TRA.
3	Storage and security of nuclear substances	CNSC revised requirements to be outcome-based (less prescriptive). Licensees will implement nuclear security measures that will detect unauthorized access to nuclear substances in storage and provide sufficient delay to respond to and prevent the unauthorized removal of those nuclear substances. Introduced the concept of D-values from the IAEA to determine the scope of nuclear substances subject to this requirement.
4	Protected area nuclear security measures	CNSC revised requirements to be outcome-based (less prescriptive). Revised the requirement for two barriers (internal and external barrier) to state that a barrier, in combination with other nuclear security measures, must provide for the appropriate detection, delay, and alarm assessment provisions, based on the licensee’s security case.
5	Searches, access control and authorizations	Clarified the provisions for searches and signage to better account for the inventory of nuclear substances. Revised escort requirements to better accommodate visitors. Removed requirements for "written authorizations."
6	Radiological consequences	Introduced a radiological consequence-based approach to identifying and protecting vital areas.
7	Vital area nuclear security measures	Revised requirements to be outcome-based (less prescriptive). Revised requirements for licensees to adopt provisions for access control, detection of unauthorized access, delay of adversary entry, activation of alarms in the central alarm station in the event of unauthorized access, and detection/assessment of instances of tampering of nuclear security measures.
8	Secondary alarm stations	Revised requirement to have an independent backup alarm station that performs the functions of the central alarm station. Changed the terminology from "secondary alarm station" to "backup alarm station" to align with terminology used internationally.
9	Transport security	Added requirements that the transport security plan must include a description of the conveyance and the escort arrangements during transport.
10	Coming-into-force timelines	Revised coming-into-force timeline for HSS from one year to two years. The implementation timeline for non-HSS remains unchanged at two years.

Indigenous engagement, consultation and modern treaty obligations

Due to the security-specific nature of this regulatory proposal to repeal and replace the NSR, the CNSC did not expect an impact on Indigenous and/or treaty rights. Nonetheless, to support engagement with Indigenous Nations and communities, the CNSC reached out in 2021 regarding the aforementioned discussion papers and workshops to all Indigenous communities that have nuclear facilities in their traditional or treaty territory or those who have expressed an interest. The CNSC offered to engage, discuss and receive comments about the proposed regulations. The Indigenous Nations and communities contacted by the CNSC did not indicate a need for or interest in further consultations.

The initial assessment of modern treaty obligations examined the geographical scope and subject matter of the initiative in relation to modern treaties in effect and did not identify any potential modern treaty implications. Although no clear linkages or impacts on modern treaty partners have been identified as a result of the Regulations, Crown-Indigenous Relations and Northern Affairs Canada (CIRNAC) recommended that modern treaty partners be included in the CNSC’s engagement strategy, where there is the potential for nuclear projects. CIRNAC provided a list of modern treaty partners to reach out to, which includes the regions of the Northwest Territories, Nunavut, Yukon, Labrador and Northern Quebec. The CNSC contacted modern treaty partners in these regions with information on the Regulations and offered to provide more information should there be interest.

Following the CG I prepublication, the CNSC reached out again to Indigenous partners and communities that have nuclear facilities in their traditional or treaty territory, or that expressed an interest in nuclear facilities and/or nuclear facility regulations, to inform them that the Regulations were publicly available for review and comment. The CNSC held question-and-answer sessions with two Indigenous communities and organizations and received written submissions from four Indigenous Nations and communities on the Regulations and/or the REGDOC discussion paper (DIS-22-02). Topics of feedback/discussion included providing more information and clarity on new provisions for cyber security and sensitive information, questions related to the transition to performance-based regulations, requests for clarification on REGDOC content, and discussions on the overall regulation-making process. Following these submissions/sessions, the CNSC contacted the Indigenous communities and organizations on potential follow-up activities. No further consultation/engagement requests were received.

The CNSC is committed to engaging with any Indigenous Nation or community that expresses interest regarding the CNSC’s regulatory framework. For additional information on the CNSC’s commitment to Indigenous engagement and consultation, refer to CNSC REGDOC-3.2.2, Indigenous Engagement and to its web page on Indigenous consultation and engagement.

Instrument choice

After considering the following non-regulatory options, the CNSC determined that repealing and replacing the NSR was the most effective and appropriate instrument.

1. Status quo

The option of maintaining the status quo was considered but rejected.

The threats and risks faced by nuclear facilities in Canada have changed significantly since the NSR entered into force and were last amended in 2006. New technologies and measures to protect nuclear facilities, nuclear materials and nuclear substances have also been developed since that time. The risk to Canadians and the environment continues to increase over time, as past threats faced by Canadian nuclear facilities evolve, and new countermeasures, counter technologies or other security measures are not able to be properly considered and deployed.

SMR technology is an emerging technology that is an important component of Canada’s net-zero initiatives by the Minister of Natural Resources in 2021 and in (ARCHIVED) Budget 2022. Without new SMRs, nuclear power generation could be severely limited in its contribution to decarbonization initiatives. Amendments to improve the efficiency and clarity of the prescriptive requirements in the NSR were identified as a priority in Pillar 2: Policy, legislation, and regulation of the SMR Roadmap. A need to amend the NSR was identified in the SMR Roadmap recommendation 22, with the resulting commitment from the CNSC to amend the NSR captured in actions CNSC01 and CNSC02 of the SMR Action Plan.

2. Licence conditions

The idea of adding the new security requirements to individual licences as licence conditions was considered but ultimately rejected. Since most of the requirements are common to all nuclear facilities or at least a subset of facilities (i.e. HSS), rather than repeating the same requirements in each and every licence as licence conditions, the CNSC determined that it would be more effective to capture these as a minimum set of generic requirements in regulation. However, the CNSC recognizes that licence conditions can be an effective way of prescribing certain requirements, including facility-specific requirements, when needed.

3. Voluntary compliance

The CNSC also looked at the possibility of a voluntary compliance regime; however, this option was rejected, as it would not be possible to ensure consistent minimum standards. Voluntary compliance, whether through the use of the CNSC’s regulatory guidance documents (REGDOCs) or via other programs by licensees, implies that there is some discretion on the part of the licensee with respect to the implementation of nuclear security measures. This could potentially leave Canadian nuclear facilities vulnerable to physical and/or cyber threats. Voluntary compliance includes the possibility of licensees applying differing security measures or standards in terms of the level of security, which could lead to inconsistencies in how security threats and risks are addressed across licensees. Voluntary compliance would not provide the Canadian public or the international community with the assurance that adequate nuclear security protection measures have been taken to address threats to Canadian nuclear facilities, nuclear materials and nuclear substances.

Regulatory analysis

Benefits and costs

The total present value cost for the Regulations is expected to be $141.3 million, with the total present value of the benefits being $221.5 million. This results in a net present value (benefit) of $80.2 million for the Regulations (2023 CAD). The majority of present value costs for the Regulations are related to vital area nuclear security measures ($76.6 million), cyber security and information security provisions ($24.5 million), and provisions for backup central alarm stations ($14.5 million). These costs are primarily related to existing facilities and were adjusted based on industry stakeholder estimates concerning the new requirements outlined in CG I.

The Regulations will enhance safety and security around nuclear sites and reduce the risk of catastrophic incidents that could damage the health of Canadians or the environment, or cause economic damages due to power outages. Since incidents and accidents at nuclear sites are extremely rare, the reduction in risk cannot be quantified. There are also qualitative benefits due to the Regulations associated with the reduced risk of nuclear security incidents. The benefits that are monetized are primarily related to cost-saving from performance-based security staff requirements ($196.8 million) for future SMR development and deployment, and not from existing facilities.

A detailed CBA report for the Regulations can be obtained by contacting the CNSC. Contact information is provided at the end of this RIAS.

Summary of changes between the Canada Gazette, Part I, and the Canada Gazette, Part II

There are differences in the CBA between what was posted in the RIAS for CG I and this version. The main reasons for changes in monetized costs include the following:

Canada went through a period of high inflation during the development of these Regulations.^{footnote 20} The CG I prepublication used 2021 CAD, and the CG II publication uses 2023 CAD. Due to high inflation, some costs have been increased by 11%, in accordance with the inflation calculator from the Bank of Canada.^{footnote 21}
The time period for the CBA was changed for CG II due to a change in the coming into force date of the Regulations. To address stakeholder comments regarding implementation challenges, the CNSC included a 2-year coming into force timeline in the Regulations. To be consistent with the Policy on Cost-Benefit Analysis, the time period for the analysis started in 2025 (CG I publication/registration) and was then extended 10 years from 2027 to 2036 (coming into force date) to be consistent with the Requirements for developing, managing and reviewing regulations. Therefore, the time period for the CBA for CG II was 12 years, as opposed to the 10 years in the CG I prepublication, which led to additional monetized costs.
The projections for potential new nuclear projects have increased substantially since CG I. While the Regulations will provide for significant monetized benefits overall for new nuclear facilities, there would be certain cost increases related to new nuclear security measures to ensure the continued security of those facilities. Thus, an increase in the projections of new facilities is a contributing factor to the overall costs and benefits of the Regulations. As an example, the Canada Energy Regulator (CER) Canada’s Energy Future 2021 report^{footnote 22} predicted about 6600 MW(e) of SMR capacity (about 22 SMRs) to come online between 2040 and 2050. By comparison, the more recent 2023 CER Canada’s Energy Future report predicted up to 9000 MW(e) of new SMR capacity by 2036 (about 30 SMRs), which is a substantial increase from the 2021 report.

The main driver for the differences in monetized benefits between CG I and CG II are due to the increased projections for nuclear power plants. Climate change, energy security and electrification/decarbonization initiatives have led to a substantial increase in interest in nuclear energy from 2022 to present. Federally, at the COP28 meeting in 2023, Canada was one of the countries pledging to triple nuclear power by 2050.^{footnote 23} The Canada Energy Regulator, in its Energy Futures 2023 report, outlined the importance of new nuclear facilities (among other non-emitting sources of electricity) in Canada’s efforts and worldwide efforts to reach net-zero by 2050.^{footnote 24}

Further, at the provincial level, four provinces (Ontario, New Brunswick, Alberta and Saskatchewan) developed and published a strategic plan in 2022 for the development of SMRs in their respective provinces.^{footnote 25}

The provinces of Alberta and Saskatchewan agreed to cooperate and share information on nuclear energy.^{footnote 26} In Alberta, the Calgary-based company Energy Alberta is undertaking planning for a facility consisting of four large-scale CANDU reactors.^{footnote 27} Saskatchewan is considering the deployment of SMRs at potential sites and is targeted operation in the 2030s, contingent on its final decision in 2029.^{footnote 28}
In Ontario, the Independent Electricity System Operator (IESO) published a report on decarbonization that indicated Ontario would need approximately 17 GW of new nuclear generation capacity by 2050 to meet decarbonization goals.^{footnote 29} Overall, the government of Ontario has made nuclear power a major component of its long-term energy^{footnote 30} and economic planning.^{footnote 31} As examples, Bruce Power^{footnote 32} and Ontario Power Generation (OPG)^{footnote 33} had expressed their interest in the construction of new multi-unit nuclear facilities. Further, in April 2025, OPG was issued a licence to construct one SMR at the Darlington New Nuclear Project site.^{footnote 34}
New Brunswick highlighted in its 2023 Integrated Resource Plan that SMRs were critical to the future of the electricity supply in the province.^{footnote 35} As an example, in June 2023 New Brunswick Power submitted an application for a licence to prepare a site for a one-unit SMR.^{footnote 36}

The main monetized benefits from the Regulations are expected to result from cost savings for new nuclear facilities due to the implementation of performance-based regulations. The aforementioned reports and projections published from 2022 to 2024 outline a significant increase in potential new nuclear facilities from the projections that were available when the CG I RIAS was developed. Thus, when the most recent projections are used, the number of new facilities is increased, and therefore the monetized benefits (cost savings) increase significantly.

Cost-benefit analysis methodology

The CBA for the Regulations compared the incremental impacts between a baseline scenario and a regulatory scenario according to the Policy on Cost-Benefit Analysis. The baseline scenario shows the costs and benefits expected without the Regulations, as described in the status quo option in the “Instrument choice” section. The regulatory scenario describes the expected incremental impacts of the Regulations.

Monetized impacts are calculated using the Standard Cost Model (PDF) [SCM] from the Organization for Economic Co-operation and Development (OECD). This is an internationally recognized methodology for determining and calculating the monetized effects of government regulation on business. For this CBA, the SCM was used to calculate both the compliance costs and the administrative burden costs for the Regulations.

The Regulations will impact 5 HSS licensees, covering 13 sites, as well as 8 Class IA^{footnote 37} and Class IB^{footnote 38} licensees, covering 11 sites, which include research reactors, nuclear fuel fabrication facilities and nuclear substances processing facilities, which are non-HSS. Further, three organizations that transport nuclear material will be impacted to a more limited extent by the requirements for transportation security exercises.

During the initial development of the Regulations, there were no SMRs in operation or under construction in Canada. However, there are now several potential SMR projects that may be realized over the 12-year period of analysis. In support of this, four organizations with interest in SMR technologies (Ontario Power Generation, Bruce Power, New Brunswick Power and Canadian Nuclear Laboratories) provided monetized estimates of costs and benefits associated with the regulatory amendments in relation to proposed SMR facilities.

The data used in this CBA were obtained via consultation with stakeholders. When needed, remaining data for labour costs were obtained from Statistics Canada.^{footnote 39}

The CNSC identified certain elements of licensee operations that will be affected by the Regulations, including

monetized capital costs (new equipment/software and maintenance of that equipment/software);
monetized labour costs (revisions to programs/procedures, personnel training, new personnel time spent in security exercises);
monetized compliance costs for CNSC compliance activities;
monetized benefits related to security clearances and performance-based regulations; and
qualitative security benefits.

Present value totals are in 2023 CAD, with a present value base year of 2025 (when the regulations are registered and published) using a rate of 7% over a 12-year time period (2025–2036). This provides for a present value base year of 2025 and covers costs of industry and government over the period of 2025–2027 to come into compliance with the Regulations. It also considers impact for 10 years from the implementation date of the Regulations (2027) and aligns with the criteria in the Policy on Cost-Benefit Analysis and the associated Requirements for developing, managing and reviewing regulations. Discount rates of 0%, 3%, 5% and 10% were considered as part of the sensitivity analysis for the NSR.

Consultation on the cost-benefit analysis

The CNSC hosted workshops with affected stakeholders to determine the operational impacts (costs and benefits) of the various elements of the Regulations. The CNSC took an iterative approach to these workshops and conducted the workshops in multiple phases:

Introduction and overview of the regulatory cost-benefit process (June 21, 2021);
Reviewing the operational impacts (August 6, 2021); and
Reviewing the monetization of operational impacts (September 10, 2021).

These workshops included representatives from HSS, SMR proponents and non-HSS. Industry representatives submitted their preliminary monetization data in advance, which was later discussed at the September workshop. Following the workshop, industry revised the monetization data based on CNSC feedback and submitted the revised data. This revised data was reviewed by the CNSC and compared with internal cost information where available (i.e. contracts for TRAs, costs for security clearances and equipment costs related to cyber security) to obtain the final monetization data. Further outreach and discussions with impacted licensees took place in July and August 2024 regarding the costs and benefits of the substantive changes developed after the CG I prepublication.

The qualitative benefits were determined based on information from CNSC subject matter experts and benchmarking against international recommendations and best practices. The CNSC further discussed the qualitative benefits of the Regulations with industry stakeholders during the March 2023 commenters meeting and December 2023 industry discussions, and the industry stakeholders came to a better understating of the rationale and benefits of repealing and replacing the NSR.

Costs

The estimated total incremental present value cost of the Regulations will be $141.3 million. Costs are grouped according to the main themes of the amendments that will impose cost impacts on regulated parties. These themes are as follows:

New requirements for vital area nuclear security measures will incur a present value cost of $76.6 million.
New requirements for cyber security and the protection of sensitive information for all nuclear facilities will result in a present value cost of $24.5 million.
New requirements for backup alarm station will have a net present value cost of $14.5 million.
New requirements for nuclear substance monitoring and nuclear security measures will impose a present value cost of $6.4 million.
New requirements for the two-person rule will result in a present value cost of $6.1 million.
CNSC activities to verify compliance (cost recoverable activities) with the Regulations for all nuclear facilities will result in a present value cost of $4.08 million.
New requirements for security exercises and transportation security exercises at all nuclear facilities will result in a present value cost of $2.52 million.
New requirements for licensees to promote security culture at all nuclear facilities will impose a present value cost of $1.57 million.
New requirements to enhance the safety, security and safeguards interface at all nuclear facilities will impose a present value cost of $1.44 million.
New requirements for security guards at non-HSS will impose a present value cost of $1.38 million.
Changes to process/procedures for security clearances/screening will result in a present value cost of $1.22 million (this is offset by other amendments to clearance requirements as detailed in the “Benefits” section).
Changes to the requirements for TRAs at all nuclear facilities will impose a present value cost of $0.62 million.
Activities performed by CNSC (non-cost recoverable) to implement the Regulations (i.e. compliance promotion activities, additional training, updates to documentation such as inspection guides, and revisions to the AMP program) will impose a present value cost of $0.29 million.

Overall, the majority of the capital costs will be incurred between 2025 and 2027, as licensees prepare to be in compliance by the 2027 coming-into-force date. From 2027 onward, the labour costs are expected to be the main factor, as these are costs incurred every year as part of the operation and maintenance costs for the facility.

The monetized impacts of these themes (except for CNSC compliance activities) will be in the form of changes to licensees’ internal processes/programs/procedures, the purchase/upgrade and maintenance/repair of structures and/or equipment (hardware and/or software), and labour costs for staff performing the new duties required in the Regulations.

Costs for CNSC compliance activities are attributed to industry due to the CNSC being a cost-recovery organization under the Canadian Nuclear Safety Commission Cost Recovery Fees Regulations. Therefore, the costs incurred by the CNSC from compliance activities (e.g. inspections and desktop reviews) are billed back to the licensees. To verify compliance with the Regulations, the CNSC will perform more inspections and reviews of security programs and measures and thus charge more cost recovery fees to the regulated community.

The Canada Energy Regulator’s (CER) report entitled Canada’s Energy Future 2023 (PDF) indicated that the first year for SMR operation will be 2030. Thus, costs and benefits related to SMRs will be expected in the period of 2030–2036.

Benefits

The primary benefit to Canadians from the Regulations will be the reduction in risk of nuclear security incidents that will be derived from enhanced nuclear security. This reduction in risk cannot be quantified in a practical fashion and is treated qualitatively.

In addition, the prevention of damages to nuclear facilities that cause radioactive releases (from physical, cyber or insider threats) and the prevention of the theft of nuclear materials and nuclear substances will result in reduced health and safety risks to Canadians and the environment.

There will also be the reduced risk of economic damage due to power outages, such as lost revenue for power generating utilities, recovery costs related to nuclear security incidents, increased electricity costs and possible electricity or radioisotope shortages should certain nuclear facilities be offline for an extended period due to a security incident.

A further benefit will be economic benefits due to the provisions to allow for SeBD and off-site response forces as part of a nuclear facilities nuclear security system, as well as the implementation of a radiological consequence-based approach to determining sabotage targets at HSS.

Further discussions and examples of these benefits are provided in this RIAS and in the detailed CBA report.

Security events related to nuclear facilities

One of the main benefits to Canadians from the Regulations will be reduced risk of security events at nuclear facilities. These security events include both physical security and cyber security events, as well as threats from external adversaries and internal adversaries (insider threats). The types of nuclear security incidents targeted in the Regulations are rare in Canada and globally. However, when incidents do occur, their impacts are significant and far-reaching. Examples of incidents for both cyber security/information protection and for physical security, as well as information on the specific threats and risks from insider threats, are presented below, with additional examples and information included in the CBA report.

Cyber security and protection of sensitive information

Overall, cyber attack costs on the global business community were estimated at US$945 billion in 2021, which was an 80% increase over 2018, while other estimates put the total costs of cyber attacks in the order of several trillion US$ each year.^{footnote 40}
The Colonial Pipeline ransomware attack in the United States in May 2021^{footnote 41} resulted in the theft of 100 GB of data and shut down the pipeline for six days. Colonial Energy paid approximately US$5 million in ransom to restore the system. The pipeline outage caused shortages of airline fuels and motor vehicle fuel for several days in certain regions of the United States.
In 2013, the Canadian Anti-Fraud Centre received over 16 000 complaints of cyber-related fraud, accounting for more than $29 million in reported losses. A major example was known as “Citadel,” where botnets installed malware on computers to steal personal and financial data and targeted major financial institutions in Canada and internationally, costing an estimated $500 million in global economic losses.
According to a survey conducted by Public Safety Canada in 2017, nearly 70% of Canadian businesses have been victims of cyber attacks with an average cost of $15,000.^{footnote 42}
In September 2019, there was a cyber attack on the Kudankulam Nuclear Power Plant in Tamil Nadu, India, where a large amount of sensitive information was stolen off the administrative network.^{footnote 43} Due to the sensitive nature of the information that was stolen, this increased the risk of sabotage or the risk of theft of nuclear substances or nuclear material from the nuclear facility.
In 2010, the StuxNet cyber attack damaged approximately 1 000 centrifuges at an enrichment facility in Iran.
A December 2014 cyber attack targeted nuclear operators in South Korea. As part of this attack, designs and manuals of plant equipment were leaked and posted online, and threats were also made against several reactor facilities. The operator, KHNP, stated the data leak did not affect the safety of the reactors. In response, KHNP launched an investigation into the attack and conducted cyber security drills at several reactor facilities.

Physical security (sabotage and theft)

Several notable sabotage and theft incidents have occurred at nuclear facilities.^{footnote 44}

In 1982, explosives were attached to reactor pressure vessels at the Koeberg nuclear power plant in South Africa while the plant was under construction. The damages from this event cost approximately US$159 million (Can$214 million) and delayed the opening of the facility by 18 months.
In 2014, an unknown insider actor opened a locked valve and drained the lubricant from the reactor turbine from the Doel 4 nuclear power plant in Belgium. The cost to replace the turbine and the cost from lost power resulted in total damages of between $100 and US$200 million (between Can$135 and Can$260 million), resulting in one of the largest cases of economic sabotage.
A well-documented theft of highly enriched uranium (HEU) occurred in 1992 from the Luch Production Association in Russia, where an insider stole 1.5 kg (total) of HEU over several months.

Insider threats

Insider threat is a growing concern in the nuclear sector^{footnote 45} and one of the most challenging threats to HSS.^{footnote 46} Historically, almost all incidents of theft of nuclear material and sabotage of nuclear facilities have been committed or aided by insiders.^{footnote 47} In Canada, insider threats have been identified as a major risk to Canada’s national security^{footnote 48} and in 2022, Public Safety Canada published a report regarding recommended security actions to protect critical infrastructure from insider threats.^{footnote 49}

Security-by-design, off-site responses and radiological consequences

The Regulations will provide for applicants and licensees to include SeBD and/or off-site response forces as part of their nuclear security measures and their overall nuclear security system at the nuclear facilities. This will include utilizing SeBD and/or off-site response forces to perform an effective intervention against theft or sabotage of nuclear material and nuclear substances. The primary benefit of SeBD is aimed at advanced reactors/new builds, which could reduce the overall capital costs and operational costs of new reactor facilities, increasing the economic viability of new nuclear facilities. Further, utilizing SeBD could increase the overall security of a nuclear facility and enhance the integration of safety, security and safeguards at a facility, allowing for the optimization of these important concepts. As with SeBD, the use of off-site responders is seen as a strong contender to alleviate the security costs at nuclear facilities due to large contingents of on-site personnel and to make new/existing facilities more economically viable. Therefore, facilities that utilize SeBD and/or off-site response forces as part of their response/security provisions may see significant security improvements and significant cost savings/economic benefits.^{footnote 50}

The introduction of radiological consequences will address industry comments on the need to clarify the definition and the identification processes for vital areas at HSS and will apply a risk-informed approach to the identification of vital areas and with respect to effective interventions. The main benefit of using radiological consequences as a measure for identifying vital areas and for determining the most appropriate nuclear security measure for preventing an incident is that it will provide a scientific standard for new and existing HSS. Further, this standard will be risk-informed to ensure the appropriate nuclear security measures are in place at each facility based on the risk profile of that facility. The inclusion of radiological consequences will also provide for the use of SeBD to reduce or prevent radiological releases. Overall, the implementation of radiological consequences could lead to a reduced number of vital areas at HSS and therefore lead to reduced costs in terms of nuclear security measures and response personnel.

Additional information and discussion of the benefits of SeBD, off-site response forces and the implementation of a consequence-based approach is provided in the CBA report.

Monetized benefits

The present-value monetized benefits for the Regulations will be $221.5 million. The monetized benefits of the Regulations will primarily stem from cost savings associated with allowing regulated parties to determine their own security (response force) staffing ($196.8 million present value) and security systems ($16.8 million present value) to prevent the unauthorized removal of nuclear substances or sensitive information from malicious actors, including potential insider threats. The changes to the validity period of site access clearance, from 5 years to 10 years, will result in a cost savings of $7.9 million present value.

The cost savings for the performance-based provisions were calculated as follows.

Projections for future SMR deployments for this CBA were based on the central scenario from the data provided as part of the CER’s report entitled Canada’s Energy Future 2023 (PDF). This report projected SMR deployment to begin in 2030 and then accelerate from the mid-2030s up through 2050. In general, SMRs are considered to have a capacity of up to 300 megawatts electric (MWe).^{footnote 51} Certain proposed designs of SMR, such as the BWRX-300^{footnote 52} that was selected by OPG and is under consideration by SaskPower, are of the 300 MWe capacity. For this calculation, it is assumed that each 300 MWe of projected capacity would result in one SMR.

To determine capital cost reductions, data on the costs of security systems/structures were found in the published literature. These costs ranged from US$1.00 to US$6.00 per kilowatt electric (kWe),^{footnote 53,}^{footnote 54,}^{footnote 55} with a central case of US$4.00/kWe (Can$5.40) used in the CBA. Potential savings for system/structure costs were found via a published case study from Sandia National Laboratories.^{footnote 56,}^{footnote 57} This study investigated the potential for cost savings for SeBD for security system costs for advanced reactors, using a 300 MWe SMR as a text case. This study found that SeBD considerations could reduce the capital costs of the system by approximately 40%. Thus, this reduction by a factor of 40% was applied to the central case to find savings due to SeBD of structures/systems of Can$2.16/kWe. Applying the new cost to a 300 MWe SMR leads to an (undiscounted) savings of $972,000 per SMR. Afterwards, the cost reduction per SMR is multiplied by the projected number of SMRs to reach the total cost reductions (monetized benefits) for SeBD for performance-based requirements for security systems. These monetized benefits would represent one-time (up front) cost savings.

The monetized benefits for cost savings for security staff due to performance-based regulations utilized the same projections for the number of new SMRs as detailed above. As detailed earlier in this RIAS, the provisions for SeBD and off-site response forces in the Regulations will provide for reductions in security staff at HSS, and specifically staff who make up the on-site nuclear response force (NRF). To calculate those cost savings, the hourly wage values and number of positions that were reduced were required. The hourly wage values for nuclear security officers (NSOs) who comprise the NRF was found to be from $50 to $54, with 10% vacation pay and additional benefits.^{footnote 58} The CBA considered a central case of $52.00/hour, and after applying the 10% vacation pay and the standard 25% overhead for internal employees based on the Standard Cost Model (PDF), the overall cost per full-time equivalent (FTE) per year was $143,000. As these positions are staffed continuously, each position requires approximately 5 FTEs. Consultation with industry stakeholders on the CBA before the CG I prepublication indicated that an SMR facility that utilizes SeBD and off-site response forces could reduce overall positions by 5, which would mean an overall decrease of 25 FTEs. At cost per FTE of $143,000, this entails a reduction in operating costs of approximately $3,575,000 million per SMR. These monetized benefits would represent annual (ongoing) cost savings.

There are four underlying assumptions made when using these data. First, it was assumed that only SMRs were built in the CER report; therefore, no large scale (e.g. 1 000 MWe scale) reactor facilities were considered. The second assumption was that each SMR would be an individual facility (assumed no multi-unit facilities), thus no sharing of security systems or staff between reactor units located at the same facility. In both of those cases, it is likely there would be certain economic advantages, and the monetized benefits of the Regulations may be lower. The third assumption was that the published data for nuclear security systems was reflective of modern nuclear facilities. The published data on reactor facility costs often does not reflect increased security system/structure costs due to upgrades after the 9/11 terrorist attacks.^{footnote 59} Existing costs estimates for reactor facilities are largely based on case studies in the United States and France from large reactor build-outs in the 1970s and 1980s.^{footnote 60} However, there have been relatively few new reactors built in North America since the 9/11 attacks; thus, there is not a significant amount of published data on the most recent security system/structure costs. Due to this, the monetized benefits (cost savings) are likely understated. Lastly, it was assumed that the monetized benefits for the performance-based requirements would only result in cost savings for new facilities, but not existing facilities. As one of the main drivers for the Regulations is to transition to performance-based requirements to facilitate SMR development, SMRs and new facilities are the focus of the monetized benefits from these regulatory changes.

The monetized benefits related to the amended provisions for site access clearance were calculated using the same methodology as in the CBA for the CG I prepublication.

Refer to the CBA report for additional information and additional scenarios as part of the sensitivity analysis.

Overall, the enhanced deployment of SMRs will lead to long-term cost savings (net benefits) due to the performance-based regulations, based on certain projections for SMR deployment (refer to the sensitivity analysis for more information). Irrespective of potential SMR deployments, the monetized impacts may show a net cost for the Regulations. However, the benefits are expected to outweigh the quantitative costs if all the benefits could reasonably be quantified.

Impacts of the consequential amendments

There will be no monetized impacts from the proposed consequential amendments due to the Regulations. The consequential amendments to the Class I Nuclear Facilities Regulations, the Nuclear Substances and Radiation Devices Regulations and the Packaging and Transport of Nuclear Substances Regulations, 2015 would only amend references in those regulations for the corresponding section numbers in the Regulations.

Administrative monetary penalties (AMPs)

The amendments to the Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission) also amend the references in these regulations to the proposed section numbers in the Regulations. There would be several new administrative monetary penalties (AMPs) added due to the proposed new requirements in the Regulations (such as for cyber security). However, these proposed new AMPs would be handled via the regular processes and procedures already implemented by licensees and by the CNSC. Relevant staff at nuclear facilities and CNSC staff (such as site inspectors) would require additional training on the Regulations, and the new AMPs would be included as part of that training. However, it is expected that the costs for such training would be minimal.

Overall, the use of AMPs benefits the Canadian public by allowing the CNSC to enforce requirements using an administrative process rather than resorting to prosecution in the courts. Judicial proceedings often result in considerable costs to the federal government and to the individual and/or corporation involved and may be too harsh a tool to utilize except in extreme circumstances.

Cost-benefit statement

Number of years: 12 (2025 to 2036)
Base year for costing: 2023
Present value (PV) base year: 2025
Discount rate: 7%

Table 1: Monetized benefits (millions)
Impacted stakeholder	Description of benefit	2025	2030	2036	Total (PV)	Annualized value
Industry	Performance-based requirements (security staff)	$0.00	$2.55	$52.40	$196.83	$24.78
	Performance-based requirements (security systems)	$0.00	$0.69	$3.54	$16.82	$2.12
	Security clearance validity period	$0.00	$0.87	$0.58	$7.91	$1.00
All stakeholders	Total benefits	$0.00	$4.11	$56.52	$221.55	$27.89

Table 2: Monetized costs (millions)
Impacted stakeholder	Description of cost	2025	2030	2036	Total (PV)	Annualized value
Industry	Vital area nuclear security measures	$21.00	$3.13	$1.14	$76.62	$9.65
	Cyber security and information protection	$2.88	$2.06	$1.37	$24.50	$3.09
	Central alarm station (backup)	$1.50	$1.14	$1.08	$14.48	$1.82
	Central alarm station (two-person rule)	$0.00	$0.14	$1.51	$6.16	$0.78
	Nuclear substance security and monitoring	$0.75	$0.54	$0.36	$6.40	$0.81
	CNSC compliance activities	$0.00	$0.26	$0.66	$4.08	$0.51
	Security exercises	$0.00	$0.20	$0.33	$2.52	$0.32
	Security culture	$0.00	$0.08	$0.30	$1.57	$0.20
	Safety, security and safeguards interface	$0.00	$0.07	$0.27	$1.44	$0.18
	Security guard qualification and training	$0.00	$0.07	$0.27	$1.38	$0.17
	Security clearances	$0.00	$0.11	$0.13	$1.22	$0.15
	Threat and risk assessments	$0.07	$0.05	$0.03	$0.62	$0.08
Government (CNSC)	Implementation activities	$0.075	$0.0035	$0.0025	$0.29	$0.036
All stakeholders	Total costs	$26.29	$7.86	$7.46	$141.28	$17.79

Table 3: Summary of monetized costs and benefits (millions)
Impacts	2025	2030	2036	Total (PV)	Annualized value
Total benefits	$0.00	$4.11	$56.52	$221.55	$27.89
Total costs	$26.21	$7.85	$7.45	$141.3	$17.79
NET IMPACT	($26.29)	($3.74)	$49.06	$80.29	$10.11

Sensitivity analysis

The central case for the CBA used the central scenario for projected SMR growth from the CER Canada’s Energy Future 2023 using the associated published data.^{footnote 61} The central scenario was the “Net-Zero World” scenario. There were two other main scenarios, the “Net-Zero Canada” scenario (highest SMR growth) and the “Current/Baseline” scenario, which reflects the lowest SMR growth (0–1 SMR) as if the current baseline remained into the future. These two scenarios were considered as a component of the sensitivity analysis. In addition, the two Net-Zero scenarios each contained a sub-scenario of lowered SMR growth due to high costs. These five scenarios (including the central scenario) were considered as a component of the sensitivity analysis.

From the results, it was seen that using the highest-growth SMR projections yielded a net present value (NPV) of $240.6 million, mainly due to the cost savings of the performance-based regulations over a larger deployment of SMRs. Conversely, if few to no SMRs are deployed, as in the low case, then the NPV results in a net negative of $101.1 million. In this scenario, there would be no new facilities to take advantage of economic benefits from the performance-based regulations; therefore, there are few monetized benefits from the Regulations. However, it should be noted that regardless of the projects from SMR deployment, the qualitative benefits would outweigh the quantitative costs if they could be quantified practically.

Table 4: Net present value (NPV) results from small modular reactor projections (SMR)
NPV — High SMR scenario	NPV — High SMR scenario (low SMR sub-scenario)	NPV — Central case	NPV — Central case (Low SMR sub-scenario)	NPV— low SMR/baseline
$240.6 million	$119.6 million	$80.29 million	$13.8 million	$101.1 million

The NPV and annualized averages are sensitive to changes in the discount rate. This is due to two factors: the back-loaded monetized benefits for new reactor facilities and the front-loaded capital costs for requirements, such as vital area security measures. For the benefits, the largest source of monetized benefits (cost savings) is due to the performance-based requirements for new reactor facilities, which are expected to start in 2030 and slowly accelerate from there. Thus, the large majority of the monetized benefits are in the later years of the 10-year time frame, making the benefits susceptible to variations in the discount rates. In terms of costs, the majority of the costs are related to capital costs of vital area security measures and backup central alarm stations, which would be incurred in the first five years of the Regulations and would not be sensitive to the discount rate.

Although there is a large variance in NPV based on the change in discount rates, all of the modelled discount rates result in a positive NPV and annualized average.

Table 5: Net present value (NPV) results from discount rate sensitivity analysis
Discount rate (%)	NPV (in millions of dollars)	Annualized averages (in millions of dollars)
0.0	$222.4	$18.5
3.0	$148.3	$14.9
5.0	$110.7	$12.5
7.0 (central scenario)	$80.29	$10.1
10.0	$45.1	$6.6

The complete sensitivity analysis is found in the CBA report.

Distributional analysis

The new requirements in the Regulations for TRAs, security exercises and nuclear substance monitoring will be applied to non-HSS, while those provisions already apply to HSS in the NSR. While cyber security is not an explicit requirement in the NSR, all HSS have implemented the standard CSA N290.7, Cyber security for nuclear power plants and small reactor facilities as per the requirements of the licence conditions for those facilities.^{footnote 62} However, non-HSS had not implemented the requirements of that standard under the NSR. Thus, several of the new provisions in the Regulations will have a proportionately higher impact on the non-HSS when compared to HSS, as shown in the table below.^{footnote 63}

Table 6: Breakdown of the costs per stakeholder group (in millions of dollars)
Stakeholder group	Net present value (NPV)costs	Annualized averages
Multi-unit nuclear power plant (HSS)	$90.75	$11.43
Single-unit power plants and Canadian nuclear laboratory (CNL) facilities (HSS)	$21.97	$2.77
Small modular reactors (SMR)/advanced reactors	$18.01	$2.27
Class IB nuclear substance processing facilities (non-HSS)	$5.10	$0.64
Fuel fabrication facilities (non-HSS)	$4.07	$0.51
Research reactors (Academic institutions) (non-HSS)	$1.01	$0.13
Transport organizations	$0.06	$0.01
Government (CNSC)	$0.29	$0.036
TOTAL	$141.26	$17.80

As seen in the table above, multi-unit nuclear power plants will see the greatest overall monetized cost increases, mainly due to the requirements for vital area security measures, upgraded cyber security, the protection of sensitive information provisions and provisions for backup central alarm stations. Non-HSS will see costs spread over more items than HSS, due to the aforementioned new requirements related to threat and risk assessments, private security guards,^{footnote 64} security exercises and nuclear substance monitoring for those facilities. However, the total cost per facility will be much lower for non-HSS than HSS. Nevertheless, non-HSS will also see a large monetized benefit from the changes to the security screening requirements. There will not be a requirement for the enhanced (5-year) site access clearances, since all personnel at non-HSS will transition to a 10-year security screening validity.

In terms of monetized benefits for performance-based regulations, SMRs/new reactors will experience significant benefits (cost savings) due to the provisions related to SeBD, off-site response forces and radiological consequences. Overall, these provisions will comprise the large majority of monetized benefits.

The complete distributional analysis for the NSR is found in the CBA report.

Small business lens

Analysis under the small business lens concluded that the Regulations will not impact Canadian small businesses.

One-for-one rule

The Regulations will repeal an existing regulatory title (the NSR) and replace it with a new regulatory title of the same name. The Regulations will impose a new administrative burden on applicants and licensees to demonstrate compliance with the new regulatory requirements, such as cyber security and the protection of information for all licensees, and new TRAs and security exercises for non-HSS licensees. The administrative burden related to the Regulations will encompass reporting/submitting information/documentation to the CNSC to demonstrate compliance, notifying the CNSC for certain activities (e.g. security exercises), meeting with internal/external stakeholders, copying/filing information, such as for new TRAs, and assisting CNSC with compliance verification activities, such as inspections.

Overall, the annualized administrative cost is estimated at $44,310 (2012 Canadian dollars, a 7% discount rate and a 2012 present value base year), and the annualized administrative costs per business is found to be $3,382.

Administrative burden was discussed and considered during the cost-benefit workshops with licensees from June to October 2021, and industry stakeholders included their estimates of administrative burden in their submissions to the CNSC. The CNSC reviewed these submissions and provided additional guidance and clarification to licensees on the specific costs for which the administrative burden applies, as defined by the Red Tape Reduction Act and as calculated per the Red Tape Reduction Regulations. Licensees revised their submissions related to administrative burden, which later informed the administrative burden calculations performed by the CNSC.

Regulatory cooperation and alignment

The Regulations are not related to a work plan or commitment under a formal regulatory cooperation forum.

Alignment with international regulatory regimes

Several of the objectives of the Regulations are to align the Regulations with international requirements and best practices. These include entry into force of the Amendment to the Convention on the Physical Protection of Nuclear Material (CPPNM);

new recommendations, guidance and international best practices published by the IAEA;
recommendations from the 2015 IAEA IPPAS mission; and
recommendations from the 2019 IAEA Integrated Regulatory Review Service (IRRS) mission.

The Regulations will reflect the current security requirements in the IAEA CPPNM and will align with international standards. The CPPNM established measures related to the prevention, detection and punishment of offences pertaining to nuclear material. It is the only international legally binding convention related to the physical protection of nuclear material, and was signed by Canada on March 3, 1980.

The Amendment to the CPPNM came into force on May 8, 2016. This increased the scope of the CPPNM to encompass physical protection requirements for nuclear facilities and nuclear material in domestic use, storage and transportation. It expanded upon the scope of offences identified in the CPPNM (e.g. the theft of nuclear material) and also introduced new offences, such as smuggling nuclear material and sabotaging nuclear facilities. As part of the Amendment, states, including Canada, are required to prevent and combat offences and to minimize the radiological consequences of sabotage. The Regulations will ensure that Canada continues to fulfill its international obligations for the security of nuclear and radioactive materials.

Canada will be addressing several recommendations and suggestions from the 2015 IPPAS report in the Regulations. In total, five amendments are directly linked to the IPPAS mission findings to (1) improve nuclear security culture; (2) improve the protection of sensitive information; (3) enhance the interface between safeguards, security and safety; (4) conduct transportation security drills and exercises at nuclear facilities; and (5) implement the two-person rule in the Central Alarm Station. In addition, the Regulations will address the suggestions from the 2019 IRRS peer review mission to strengthen safety and security interfaces.

Assessment of aligned jurisdictions

The CNSC undertook an assessment of similarly capable and aligned jurisdictions with the broad objective of identifying areas of commonality and alignment. It was identified that several other countries have implemented or are in the process of implementing performance-based/outcome-based regulations for their nuclear security regulatory regime. In addition, these states have implemented or are in the process of implementing provisions, such as off-site alarm stations, off-site response forces and radiological consequence-based approaches. Country-specific information is provided below:

The U.S. Nuclear Regulatory Commission (USNRC) is proposing to revise its regulatory framework to take a performance-based, risk-informed technology neutral approach to regulating nuclear power plants in the U.S., as per recent U.S. federal legislation.^{footnote 65} In addition, the USNRC approved a new rule, in 2024, to modernize nuclear security in the U.S., such as removing requirements for the minimum amount of on-site response personnel. The rule allows for the use of off-site response forces and off-site secondary/backup alarm stations, which ensures that revised requirements for physical barriers permit engineered safety functions (SeBD) or other alternative measures.^{footnote 66} In addition, the USNRC has committed to reviewing radiological consequence-based regulations in the future.

The United Kingdom (U.K.) completed a transition of its nuclear security regime from a prescriptive framework to an outcome-based (performance-based) framework in 2022.^{footnote 67} This included a transition to a radiological consequence-based approach for the prevention of sabotage.

France has maintained a performance-based approach to nuclear facilities, and the flexibility of that regime has meant that the framework did not need to be updated frequently in order to mitigate new risks or technologies.^{footnote 68}

Overall, the CNSC nuclear security framework will be aligned with recent nuclear security modernization initiatives in other countries. The CNSC recognizes the importance of regulatory cooperation and will continue to engage with similarly capable and politically aligned jurisdictions.

Coordination with orders of government

Although nuclear security is within the federal domain, the CNSC has engaged relevant provincial partners in order to gather feedback and perspectives on the impact of the regulatory changes on the implementation of provincial public safety regulations. The Regulations will not put any requirements on the provincial public safety regulations but will continue to require licensees to have a relationship and agreements, as necessary, with the provincial and territorial governments.

The CNSC held a workshop with provincial government departments and agencies on June 23, 2021, to inform them of the CNSC’s regulatory proposals and obtain feedback. In total, three provincial government organizations attended this workshop. The provincial government departments did not express any concerns regarding the proposal.

Effects on the environment

In accordance with the Cabinet Directive on Strategic Environmental and Economic Assessment, a preliminary scan concluded that a strategic environmental and economic assessment is not required.

Although an environmental and economic assessment is not required, it should be noted that the Regulations will likely result in some qualitative environmental benefits. Nuclear energy in Canada contributes to climate change and other emission reduction objectives, as nuclear energy will displace significant amounts of greenhouse gases when compared to fossil fuel power plants, such as natural gas.^{footnote 69} Nuclear energy has a role in future electrification and decarbonization initiatives and is expected to aid in meeting Canada’s net-zero objectives while also meeting growing electricity demand.^{footnote 70} Further, Canada’s pledge to triple nuclear power by 2050 recognizes the importance of current and future nuclear power generation for the world to realize its climate change and greenhouse gas emission reduction goals.

As an example, the restart of two reactor units at the Bruce Nuclear Generating Station contributed, in 2014, to the phaseout of coal power in Ontario.^{footnote 71}

Gender-based analysis plus

The CNSC has conducted a gender-based analysis plus (GBA+) review of the Regulations and determined that differential impacts on the basis of identity factors, such as gender, race, sexuality and religion are unlikely. Gender demographics within the nuclear security sector are not expected to be influenced by the Regulations, and CNSC staff assess that the Regulations will neither exacerbate nor reinforce existing gender disparities in the industry.

The roles and responsibilities covered under the Regulations are based on qualifications, competencies and security requirements, which will not differentiate on the basis of gender or other identity factors. Therefore, the regulatory requirements will apply equally to all individuals, regardless of gender or other intersecting identity characteristics. The objective of the Regulations remains centred on enhancing security measures without introducing or perpetuating any inequality within the workforce.

Overall, the Regulations are designed to strengthen nuclear security while ensuring fairness, inclusivity and equal opportunity for all individuals, regardless of gender or other intersecting identity factors.

Implementation, compliance and enforcement, and service standards

Implementation

The Regulations will come into force on the day upon which they are registered, with the exception of the requirements for existing HSS and non-HSS, which will come into force two years following the registration of the Regulations.

Licensees have been kept informed of the regulatory development process and expected timelines to help them plan for implementation. The CNSC will work with licensees to coordinate the implementation of the Regulations. One such example is the Nuclear Security Advisory Group (NUSAG). This group was formed in 2023 and consists of the CNSC and licensees. The group meets quarterly to discuss topics of importance to nuclear security, which include implementation, compliance and enforcement considerations in preparation for the coming into force of the Regulations.

At the time that the Regulations are published in the CG II, the CNSC will inform all relevant licensees of that publication. CNSC communications will also inform stakeholders of the publication via social media and email lists. Additional compliance promotion and outreach activities will be carried out through existing quarterly meetings with HSS licensees.

New applicants (proponents of licence applications for new facilities) will need to comply with the Regulations once the Regulations are registered and published in the CG II. Should a licence be issued for a new facility, the accepted licence application will form the basis for the nuclear security compliance program at that facility.

Implications for other jurisdictions (domestic and international)

The CNSC has consulted with relevant provincial and federal police forces regarding response arrangements for nuclear security events at HSS and non-HSS, as well as for transportation applications. Police responses are important to ensure effective interventions against DBT threats or any threats identified in the licensee’s Threat and Risk Assessment. The CNSC continues to maintain communication and regular consultations with relevant police forces. Those police forces also participate in security exercises, and the NSR includes a requirement to ensure that adequate coordination, communication and collaboration are established to respond to a nuclear security event. The CNSC has developed regulatory guidance in the supporting REGDOCs regarding response arrangements with police forces and will verify those agreements during inspections and performance testing exercises.

Fund sources

The CNSC is a cost recovery organization. Therefore, costs related to compliance verification activities, such as inspections, will be cost recovered as per the Canadian Nuclear Safety Commission Cost Recovery Fees Regulations. The cost impacts due to cost recovery were considered in the CBA for the Regulations.

Guidance, technical documents and enforcement plans

CNSC staff will be reviewing and updating internal guidance, work instructions and templates to align with the changes in the Regulations and the associated REGDOCs.

Supporting REGDOCs will be posted for public consultation following publication in the CG II in 2025 in order to provide an opportunity for the industry, Indigenous Nations and communities, as well as members of the public to provide further feedback and comments on the REGDOCs. Following the consultation period, the draft REGDOCs will be revised to address stakeholder feedback and brought to the CNSC for acceptance for publication.

Compliance and enforcement

The CNSC’s graduated approach to enforcement encourages and compels compliance while deterring future non-compliance. When non-compliance (or continued non-compliance) has been identified, CNSC staff assess the significance of the non-compliance and determine the appropriate enforcement action based on the CNSC’s graduated approach to enforcement. Each enforcement action is a discrete and independent response to non-compliance.

To ensure licensees remain in compliance with the provisions of the regulators, CNSC inspectors regularly verify that licensees are complying with the NSCA and its regulations and will perform inspections of the relevant facilities and activities in accordance with the powers of inspectors under section 32 of the Nuclear Safety and Control Act. These will include, but will not be limited to, field inspections of facilities, Type I and Type II inspections of processes, and inspections of licensee submissions, such as threat and risk assessments, security plans and other documentation (refer to CNSC REGDOC-3.6, Glossary of CNSC Terminology for definitions), as well as assessments of security drills and exercises.

Non-compliance with the requirements of the Regulations will be subject to CNSC regulatory oversight. Licensees will need to develop and submit a corrective action plan, and the CNSC will monitor the status of those actions to ensure their completion. When necessary, the CNSC will take enforcement actions (including, but not limited to, AMPs) using a graduated approach to enforcement to encourage and compel compliance and deter future non-compliance. Further information is provided in CNSC documentation, available on the CNSC webpage titled “The CNSC’s approach to compliance verification and enforcement.”

Contact

Sarah Graham
Acting Director
Regulatory Framework Division
Canadian Nuclear Safety Commission
280 Slater Street
P.O. Box 1046, Station B
Ottawa, Ontario
K1P 5S9
Email: Consultation@cnsc-ccsn.gc.ca

Footnotes

Footnote a

S.C. 2012, c. 19, s. 129(1)

Return to footnote a referrer

Footnote b

S.C. 1997, c. 9

Return to footnote b referrer

Footnote 1

SOR/2000-204

Return to footnote 1 referrer

Footnote 2

SOR/2000-207

Return to footnote 2 referrer

Footnote 3

SOR/2013-139

Return to footnote 3 referrer

Footnote 4

SOR/2015-145

Return to footnote 4 referrer

Footnote 5

SOR/2000-209

Return to footnote 5 referrer

Footnote 6

Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025–2026, 2024.

Return to footnote 6 referrer

Footnote 7

Nuclear Threat Initiative, Time to Change Course on Nuclear Security, 2024.

Return to footnote 7 referrer

Footnote 8

Recommendation: A recommendation is advice on improvements that should be made in the areas that have been evaluated and discussed with the host country. Such advice must be based on the Convention on the Physical Protection of Nuclear Material (CPPNM) and its 2005 Amendment, security provisions of the Code of Conduct on the Safety and Security of Radioactive Sources, IAEA Nuclear Security Fundamentals and IAEA Nuclear Security Recommendations. Recommendations are specific, realistic and designed to result in tangible improvements. (Source: IPPAS Guidelines [PDF] (PDF))

Return to footnote 8 referrer

Footnote 9

Suggestion: A suggestion may either be an additional proposal in conjunction with a recommendation or a stand-alone item following discussion of the associated topic with the host country. It contributes to improvements in the State nuclear security regime, by indicating useful expansions of existing programs and pointing to better alternatives to current work practices. In general, it should stimulate competent authority, other relevant entities and the facility or transportation operator’s management and staff to consider ways and means of enhancing nuclear security. Suggestions are based on international good practices and/or IAEA nuclear security implementing guides and technical guides. (Source: IPPAS Guidelines [PDF] (PDF))

Return to footnote 9 referrer

Footnote 10

The Steering Committee is a group of Canadian provincial governments, territorial governments and power utilities interested in the potential for development, demonstration and deployment of SMRs in Canada. The findings and recommendations of this report reflect the views of the voting members of the Steering Committee. Natural Resources Canada supports the Steering Committee in a convening role and participates as a non-voting member. Atomic Energy of Canada Limited participates in the SMR Roadmap Steering Committee as a non-voting member. (Source: SMR Roadmap [PDF])

Return to footnote 10 referrer

Footnote 11

Achieving net-zero emissions means our economy either emits no greenhouse gases or offsets its emissions. (Source: Net-zero emissions by 2050)

Return to footnote 11 referrer

Footnote 12

The characteristics of a potential adversary in respect of which countermeasures are incorporated into the design and evaluation of a physical protection system. (Source: Nuclear Security Regulations)

Return to footnote 12 referrer

Footnote 13

The CNSC began using this e-consultation platform in 2020. Prior to that, documents were posted on the CNSC’s public website for public consultation, where stakeholders would submit their comments via e-mail. Unlike the e-consultation platform, live feedback on stakeholder comments was not possible. Thus at that time, the stakeholder comments were posted online to allow for stakeholder feedback on the submitted comments.

Return to footnote 13 referrer

Footnote 14

REGDOCs provide clarification of the regulatory requirements and provide guidance on meeting those requirements. (Source: Regulatory documents)

Return to footnote 14 referrer

Footnote 15

A licence issued under section 24. (Source: Nuclear Safety and Control Act)
Note: This legal document issued by the CNSC or a designated officer allows an activity (defined under section 26) to be carried out. The NSCA authorizes the CNSC and, in some cases, designated officers to grant licences for purposes listed in section 26 of the NSCA. (Source: CNSC Glossary)

Return to footnote 15 referrer

Footnote 16

Guidance documents such as CSA standards or CNSC REGDOCs become regulatory requirements once included in the licence conditions or the licensing basis for a facility. For more information on licence conditions and the licensing basis, refer to CNSC REGDOC-3.5.3, Regulatory Fundamentals.

Return to footnote 16 referrer

Footnote 17

The classification scheme of Canada’s information classification scheme to develop risk-informed regulatory requirements for information protection to align with IAEA NSS 23-G, Security of Nuclear Information (PDF).

Return to footnote 17 referrer

Footnote 18

A D-value is the quantity of radioactive material that is considered a dangerous source. A dangerous source is one that, if uncontrolled, could result in death or a permanent injury that decreases that person’s quality of life. Source: IAEA — Dangerous Quantities of Radioactive Material (D-Values).

Return to footnote 18 referrer

Footnote 19

Nuclear Threat Initiative, Nuclear Threat Index: We’re falling short on nuclear security at a dangerous time, 2023.

Return to footnote 19 referrer

Footnote 20

Wang, Weimin, “High Inflation in 2022 in Canada: Demand–pull or supply–push?”, Statistics Canada, 22 May 2024.

Return to footnote 20 referrer

Footnote 21

Inflation Calculator - Bank of Canada

Return to footnote 21 referrer

Footnote 22

Canada Energy Regulator, CER – Canada’s Energy Future 2021

Return to footnote 22 referrer

Footnote 23

Natural Resources Canada, “COP28: Declaration to Triple Nuclear Energy (2023)”, 20 December 2023.

Return to footnote 23 referrer

Footnote 24

Canada Energy Regulator, “Canada’s Energy Future 2023: Energy Supply and Demand Projections to 2050”, 11 September 2024.

Return to footnote 24 referrer

Footnote 25

Governments of Ontario, New Brunswick, Alberta and Saskatchewan, “A strategic plan for the deployment of small modular reactors”, 2022

Return to footnote 25 referrer

Footnote 26

Government of Saskatchewan, “Saskatchewan and Alberta Partner to Advance Nuclear Power Generation | News and Media | Government of Saskatchewan”, 2 May 2024,

Return to footnote 26 referrer

Footnote 27

Impact Assessment Agency of Canada, Peace River Nuclear Power Project, 14 April 2025.

Return to footnote 27 referrer

Footnote 28

SaskPower, “Planning for Nuclear Power”, 11 September 2024.

Return to footnote 28 referrer

Footnote 29

IESO, “Pathways to Decarbonization”, 15 December 2022.

Return to footnote 29 referrer

Footnote 30

Government of Ontario, “Ontario Tackles Energy Demand by Introducing Affordable Energy Act”, 23 October 2024.

Return to footnote 30 referrer

Footnote 31

Government of Ontario, “2024 Ontario Economic Outlook and Fiscal Review: Building Ontario for You”, 30 October 2024.

Return to footnote 31 referrer

Footnote 32

Government of Ontario, “Ontario Starts Pre-Development Work for New Nuclear Generation at Bruce Power”, 5 July 2023.

Return to footnote 32 referrer

Footnote 33

Government of Ontario, “Ontario Building More Small Modular Reactors to Power Province’s Growth”, 7 July 2023.

Return to footnote 33 referrer

Footnote 34

CNSC, Decision by the Commission to authorize Ontario Power Generation Inc. to construct 1 BWRX-300 reactor at the Darlington New Nuclear Project site - Canada.ca, 4 April 2025

Return to footnote 34 referrer

Footnote 35

Energie NB Power, “2023 Integrated Resource Plan: Pathways to a Net-Zero Electricity System”, 2023.

Return to footnote 35 referrer

Footnote 36

CNSC, Proposed nuclear facility – NB Power’s ARC-100 Project at the Point Lepreau Nuclear Generating Station site, 24 July 2024.

Return to footnote 36 referrer

Footnote 37

A Class IA nuclear facility is a nuclear fission or fusion reactor or subcritical nuclear assembly or a vehicle that is equipped with a nuclear reactor.

Return to footnote 37 referrer

Footnote 38

A Class IB nuclear facility may be any of the following nuclear facilities:

a facility that includes a particle accelerator, other than a particle accelerator described in paragraphs (d) and (e) of the definition “Class II prescribed equipment” in section 1 of the Class II Nuclear Facilities and Prescribed Equipment Regulations;
a plant for the processing, reprocessing or separation of an isotope of uranium, thorium or plutonium;
a plant for the manufacture of a product from uranium, thorium or plutonium;
a plant, other than a Class II nuclear facility as defined in section 1 of the Class II Nuclear Facilities and Prescribed Equipment Regulations, for the processing or use, in a quantity greater than 10¹⁵ Bq per calendar year, of nuclear substances other than uranium, thorium or plutonium;
a facility for the disposal of a nuclear substance generated at another nuclear facility; and
a facility prescribed by paragraph 19(a) or (b) of the General Nuclear Safety and Control Regulations.

Return to footnote 38 referrer

Footnote 39

Table 14-10-0307-01 Employee wages by occupation, annual (formerly CANSIM 282-0152).

Return to footnote 39 referrer

Footnote 40

Swiss RE Institute, Cyber risk: Why we need a new approach to handling this explosive threat.

Return to footnote 40 referrer

Footnote 41

United States Department of Energy, Office of Cybersecurity, Energy Security and Emergency Response, Colonial Pipeline Cyber Incident.

Return to footnote 41 referrer

Footnote 42

Public Safety Canada, Consultation on cyber security.

Return to footnote 42 referrer

Footnote 43

Reuters, IAEA chief: Nuclear power plant was disrupted by cyber attack.

Return to footnote 43 referrer

Footnote 44

Bunn, Matthew, “Insider Threats to Nuclear Security,” Oxford Handbook of Nuclear Security, pp. 102-120, 20 June 2023.

Return to footnote 44 referrer

Footnote 45

Parker, Clifton, “Insider threats biggest challenge to nuclear security,” Stanford University Centre for International Security and Cooperation, 2014.

Return to footnote 45 referrer

Footnote 46

International Atomic Energy Agency, IAEA Nuclear Security Series No. 8, Preventive and Protective Measures Against Insider Threats.

Return to footnote 46 referrer

Footnote 47

Bunn, Mathew, “Insider Threats to Nuclear Security,” The Oxford Handbook of Nuclear Security, 20 June 2023.

Return to footnote 47 referrer

Footnote 48

Baxter, David, “Insider threats a major risk to Canada’s security: ex-CSIS official,” Global News, 25 February 2024.

Return to footnote 48 referrer

Footnote 49

Public Safety Canada, Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, 2022.

Return to footnote 49 referrer

Footnote 50

Evans, Alan et al., U.S. Domestic Pebble Bed Reactor: Security-by-design (PDF), Sandia National Laboratories, October 2021.

Return to footnote 50 referrer

Footnote 51

IAEA, “What are Small Modular Reactors (SMRs)?,” 13 September 2023.

Return to footnote 51 referrer

Footnote 52

OPG, “Site preparation progress – Fall 2024” 2024, Small modular reactors | Darlington SMR – OPG.

Return to footnote 52 referrer

Footnote 53

Abou-Jaoude, Abdalla, et al., “Literature Review of Advanced Reactor Cost Estimates (PDF),“ (Technical Report) | OSTI.GOV, US Department of Energy Office of Scientific and Technical Information and Idaho National Laboratories, 1 June 2023.

Return to footnote 53 referrer

Footnote 54

Abou-Jaoude, Abdalla, et al., “Meta-Analysis of Advanced Nuclear Reactor Cost Estimations (PDF),” (Technical Report) | OSTI.GOV, US Department of Energy Office of Scientific and Technical Information and Idaho National Laboratories, 1 June 2024.

Return to footnote 54 referrer

Footnote 55

Prosser, Jacob H. et al., “First-Principles Cost Estimation of a Sodium Fast Reactor Nuclear Plant (PDF),” Idaho National Laboratories, January 2024.

Return to footnote 55 referrer

Footnote 56

Evans, Alan, “Security-by-Design Options for Advanced and Small Modular Reactors (PDF),” Proceedings of the INMM and ESARDA Joint Annual Meeting, 22-26 May 2023.

Return to footnote 56 referrer

Footnote 57

Evans, Alan, Russell, John L., and Cipiti, Benjamin B., “New Security Concepts for Advanced Reactors (PDF),” Nuclear Science and Engineering, American Nuclear Society, 1 November 2022.

Return to footnote 57 referrer

Footnote 58

Power Workers Union, “Bruce Power - Nuclear Security Officer”, 2024.

Return to footnote 58 referrer

Footnote 59

Electric Power Research Institute (EPRI), ”Advanced Nuclear Technology: Economic-based Research and Development Roadmap for Nuclear Power Plant Construction,” 27 June 2019.

Return to footnote 59 referrer

Footnote 60

Lovering, Jessica R., Arthur Yip und Ted Nordhaus, “Historical construction costs of global nuclear power reactors (PDF),“ Energy Policy, volume 91, pp. 371-382, April 2016.

Return to footnote 60 referrer

Footnote 61

Canada Energy Regulator. “Canada’s Energy Future Data Appendices.”

Return to footnote 61 referrer

Footnote 62

Documents, such as CSA standards and CNSC REGDOCs, are considered regulatory requirements if they have been included, in whole or in part, in the licence conditions or licensing basis for the facility. For definitions and explanations of licence conditions and licensing basis, refer to CNSC REGDOC-3.5.3, Regulatory Fundamentals.

Return to footnote 62 referrer

Footnote 63

Around 80% of the CNSC compliance costs were attributed to HSS, with the remaining 20% evenly distributed amongst the non-HSS.

Return to footnote 63 referrer

Footnote 64

HSS employ nuclear security officers (NSOs) for security purposes. Thus, this requirement does not apply to HSS.

Return to footnote 64 referrer

Footnote 65

Federal Register, “Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors,” October 31, 2024.

Return to footnote 65 referrer

Footnote 66

USNRC, “NRC Approves Proposed Rule on Physical Security Requirements for Advanced Reactors (PDF),” 18 June 2024.

Return to footnote 66 referrer

Footnote 67

Hobbs, Christopher, and Parkhouse, Tom, “The United Kingdom’s Transition from Prescriptive to Outcome-Focused Nuclear Security Regulation,” The Oxford Handbook of Nuclear Security, 22 May 2023, https://doi.org/10.1093/oxfordhb/9780192847935.013.19.

Return to footnote 67 referrer

Footnote 68

Gaucher, Regine, Languin, Thomas, and Ducousso, Erik, “Building a Nuclear Security Regime: Questions to be Asked,” Nuclear Law: The Global Debate, IAEA, Nuclear Law: The Global Debate | SpringerLink

Return to footnote 68 referrer

Footnote 69

Natural Resources Canada, “The Canadian Nuclear Energy Technology,” 8 January 2025.

Return to footnote 69 referrer

Footnote 70

Canada Energy Regulator, “CER — Market Snapshot: The Potential Role of Nuclear in Canada’s Energy Future” 6 July 2022.

Return to footnote 70 referrer

Footnote 71

Government of Ontario, “The End of Coal,” 25 January 2023.

Return to footnote 71 referrer

Nuclear Security Regulations: SOR/2025-219

Nuclear Security Regulations

Definitions

PART 1 General Provisions

Definition

Application

Licence Application

Security Requirements

Nuclear Security Plan

Threat and Risk Assessment

Security Program

Cyber Security and Protection of Information

Security Obligations Relating to Nuclear Substances

PART 2 High-Security Sites

Definition

Application

Licence Application

Design Basis Threat

Security Requirements

Nuclear Security Officers

Response Forces

Contingency Plan

Security Drill and Security Exercise Program

Central Alarm Station

Backup Alarm Station

Clearances and Authorizations

Clearances

High-security Site Access Clearance

Enhanced Security Clearance

Record

Revocation

Authorizations

Exceptions

Access to Protected Area

Access to Vital Area and Inner Area

Records

Security Personnel

Nuclear Security Officers

Nuclear Security Support Person

Central Alarm Station Operator

Record

Revocation

Nuclear Security Measures

Power Supply

Protected Area

Vital Areas

Inner Area

Access Control

Prohibitions

Identity Verification

Vehicle Access

Inner Area Access

Searches

PART 3 Other Nuclear Facilities

Definition

Application

Facility-access Security Clearance

Access Control

Access to Nuclear Facility

Searches and Screening

Security Exercise

PART 4 Licence to Transport

PART 5 Consequential Amendments, Transitional Provisions, Repeal and Coming into Force

Consequential Amendments

Class I Nuclear Facilities Regulations

Nuclear Substances and Radiation Devices Regulations

Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission)

Packaging and Transport of Nuclear Substances Regulations, 2015

Transitional Provisions

Repeal

Coming into Force

SCHEDULE

Table b2 note(s)

REGULATORY IMPACT ANALYSIS STATEMENT

Executive summary

Issues

The NSR are overly prescriptive

Evolving threat environment and cyber security threats

International recommendations, guidance and best practices

Changes to Government of Canada security clearance standards

PART 1
General Provisions

PART 2
High-Security Sites

PART 3
Other Nuclear Facilities

PART 4
Licence to Transport

PART 5
Consequential Amendments, Transitional Provisions, Repeal and Coming into Force